MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac
SHA3-384 hash: 8162ca3f96ec29b9adad0c5f016819305db3c0de8ba7d87afae2bc1f91d253b4fa46ca46cb5de38c6120e1c3d20a2351
SHA1 hash: 82e1a3868eff88753fe30abedf7c83620aaddd13
MD5 hash: 9a4ef0169f86641aa99017049de272f5
humanhash: pasta-spring-india-kitten
File name:tpJBFL.bin
Download: download sample
File size:219'136 bytes
First seen:2022-01-20 15:31:19 UTC
Last seen:2022-01-20 18:04:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7c661725970e2285630167e2c43a72e6
ssdeep 6144:VW2ARP1XewB7c6waMtO507a3DXx3FqcZSV:VWdRcwNC1o58afqcZSV
Threatray 447 similar samples on MalwareBazaar
TLSH T16324CF08B2D90078DD2796748A639507EABB7C216B24AFEF03A54371DD3F3D5113AB62
Reporter ffforward
Tags:BazaLoader BazarLoader bin dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
259
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221146/
Detection(s):
SecuriteInfo.com.Win64.Kryptik.CVL.20664.754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4939/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/61e980760f8c757253d10d8d/reports/3d733136-d841-46bc-9581-f24aebc7d99c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/924507
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556985 Sample: tpJBFL.bin Startdate: 20/01/2022 Architecture: WINDOWS Score: 88 77 Multi AV Scanner detection for submitted file 2->77 79 Sigma detected: UNC2452 Process Creation Patterns 2->79 81 Sigma detected: Suspicious Call by Ordinal 2->81 83 Sigma detected: Suspicious Svchost Process 2->83 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        15 rundll32.exe 2->15         started        process3 signatures4 17 rundll32.exe 10->17         started        19 cmd.exe 1 10->19         started        22 rundll32.exe 10->22         started        28 6 other processes 10->28 95 Modifies the context of a thread in another process (thread injection) 12->95 97 Injects a PE file into a foreign processes 12->97 24 cmd.exe 12->24         started        26 cmd.exe 12->26         started        process5 signatures6 30 cmd.exe 1 17->30         started        85 Uses ping.exe to sleep 19->85 87 Uses cmd line tools excessively to alter registry or file data 19->87 89 Uses ping.exe to check the status of other devices and networks 19->89 32 rundll32.exe 19->32         started        34 cmd.exe 1 22->34         started        36 svchost.exe 22->36         started        38 conhost.exe 24->38         started        40 reg.exe 24->40         started        42 conhost.exe 26->42         started        44 reg.exe 26->44         started        process7 process8 46 rundll32.exe 30->46         started        48 conhost.exe 30->48         started        50 timeout.exe 1 30->50         started        52 rundll32.exe 34->52         started        54 conhost.exe 34->54         started        56 timeout.exe 1 34->56         started        process9 58 cmd.exe 1 46->58         started        61 cmd.exe 1 46->61         started        signatures10 91 Uses cmd line tools excessively to alter registry or file data 58->91 63 reg.exe 1 1 58->63         started        66 conhost.exe 58->66         started        93 Uses ping.exe to sleep 61->93 68 PING.EXE 1 61->68         started        71 conhost.exe 61->71         started        73 rundll32.exe 61->73         started        process11 dnsIp12 99 Creates an autostart registry key pointing to binary in C:\Windows 63->99 75 192.0.2.244 unknown Reserved 68->75 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac/
Threat name:
Win64.Spyware.Bazarloader
Create hunting rule
Status:
Suspicious
First seen:
2022-01-20 15:32:14 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
15 of 28 (53.57%)
Threat level:
  2/5
Verdict:
malicious
Similar samples:
08340c953247df216a72580f2a5aa24f6688a24e2316ed4ea62b863dbc252d3e
879e1d5a103b042c620b2c216a6ac707fdafb7e52c54f4a317107b4130158320
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26
b75c337a0fb7eb49ec34d6d313a612e93dc4180a8bf25f99fd7b10ea1077e8e1
b968be42546794effa6900666e9e6ad09c6e211d192571a1bed308c92222c227
c765e040e1facf4b651d4684a4fdb3fd04c0d01e506bfb0dce454104f2c43f8c
e8cfbe425f68faba79342ad20a6a0039c602c67626c91cb8164cb08319c58a57
e96721c0194fef754b28344960a41649914e1eaf6a43588e9d9018104b80ecea
f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c
+ 437 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220120-syl8vsaeb9/
Behaviour
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac
MD5 hash:
9a4ef0169f86641aa99017049de272f5
SHA1 hash:
82e1a3868eff88753fe30abedf7c83620aaddd13
Link:
https://www.unpac.me/results/90904462-b186-424e-aafd-2d0e07ec48ca/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1992911/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221146/

Comments