MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazarCall

Vendor detections: 10

Intelligence 10 IOCs YARA 1 File information Comments

SHA256 hash:	d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9
SHA3-384 hash:	ea2433fa4eb1d7166ec48f2c94415bd5ec115b8e1c608b09c34503a3d4b4fcc396fdc5118337259f66228958c7a8243c
SHA1 hash:	64c711c1b2d2297a17a548778f8bfa3ed7fae232
MD5 hash:	b5cb5ac79b76d8db06f631e4ab461074
humanhash:	iowa-single-item-double
File name:	SecuriteInfo.com.TrojanDropper.Sysn.fyj.15394.3382
Download:	download sample
Signature	BazarCall Create hunting rule
File size:	625'152 bytes
First seen:	2021-03-26 02:43:24 UTC
Last seen:	2021-04-01 03:16:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	caf450a960e7f9ebf1978c5af6aec15e (1 x BazarCall)
ssdeep	12288:C+C6AqiwyTmO35P0bWHeeqcz6q8hpOG+WjsNTPokm:CYy6O30W+e61CpWjeTQf
Threatray	91 similar samples on MalwareBazaar
TLSH	BED4AD57B2A48DB5E423D27A8993874AEA737C305B35D3CB1250A70E6F336E15D3A321
Reporter	SecuriteInfoCom
Tags:	BazarCall

Intelligence

File Origin

# of uploads :

# of downloads :

146

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dwug.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-25 23:59:46 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ef6d19a8-ff03-46d2-9e78-6893ed577889

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.TrojanDropper.Sysn.fyj.15394.3382.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Changing a file

Sending a custom TCP request

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

BazarBackdoor

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b1133ac2-a4d6-4128-b6e2-3f1b05bae40e

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/654624

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9/

Threat name:

Win64.Trojan.Bazar

Status:

Malicious

First seen:

2021-03-26 00:08:36 UTC

AV detection:

7 of 29 (24.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2p5gsfuwvcij57ovjzonjo4dccvkoks3hj3cq4aogqcesqquxwuq._file

Verdict:

malicious

BazarCall

1d921a846347be4c8cefbbf0449a40710408ecccf5cbbf99a0f8e41acb78881e

BazarCall

2d757d0aec33330845fa2e2505e403b5a5718b96cb46162326a65e83607b9f27

BazarCall

3d0bb4ced472475c673c082e2cc9a1708159eefab5ae6863992f8a6696e1ae14

BazarCall

3e48c6326181bf9fe5cb074a0c7dc955a3e5d23c9f77195e319cf88cafdab447

BazarCall

6e3135f2b19b776522d8ea589f676d6b707eeaf112c77d88923caf15bf98eff5

BazarCall

73bb27d72c97502d1c865e8d92870cac41c68e00f00084f6cc8de6bc43275a5b

BazarCall

9a9e207e67103ebf90b1a54d5510cb458cd6355279e6ba86e8d182fa767d9613

BazarCall

9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691

BazarCall

ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497

BazarCall

+ 81 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/210326-1zlvnsd3na/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Unpacked files

SH256 hash:

d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

MD5 hash:

b5cb5ac79b76d8db06f631e4ab461074

SHA1 hash:

64c711c1b2d2297a17a548778f8bfa3ed7fae232

Link:

https://www.unpac.me/results/89ff0d97-734b-484e-b439-8e154aacee5e/

Malware family:

BazarLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d3fa691696a8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Sysn

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

exe d3fa691696a8909efdd54e5cd4bb8310aaa72a5b3a7628700e3404494214bda9

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1091807/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1091808/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample