MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6
SHA3-384 hash: 88c3d3cc910f342cc24b9117dc44389c86d7bfc09210c8fceb40c95cc223c3c9bd8de346e82d313dd0eea8b133a6144c
SHA1 hash: 151ce4abe902587339658da0c2c058028a530660
MD5 hash: a488537f1d95f3cbd78790059dd13bcf
humanhash: leopard-indigo-asparagus-nebraska
File name:a488537f1d95f3cbd78790059dd13bcf.exe
Download: download sample
Signature BazarCall
Create hunting rule
File size:257'536 bytes
First seen:2021-03-22 20:20:49 UTC
Last seen:2021-04-01 03:28:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 142a8e54de622ab77c88a3ee58cbd4d4 (1 x BazarCall)
ssdeep 6144:CDOhjlT17PRzdGjL9KyFpVfTu0t6H81hQGdisBwI9rmm:zhjlT1xMP9KcB3TisBwIp
Threatray 121 similar samples on MalwareBazaar
TLSH 7644BF78B6143CD6E67F5277CA96BDDD13723663998BE8CC8064ABC305A3335EE06804
Reporter abuse_ch
Tags:BazarCall exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a488537f1d95f3cbd78790059dd13bcf.exe
Verdict:
No threats detected
Analysis date:
2021-03-22 20:37:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1ee40949-90f0-4ce4-8018-79d774064c1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126285/
Detection(s):
SecuriteInfo.com.Variant.Razy.853896.16928.683.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/648639
Signature
Creates multiple autostart registry keys
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 373280 Sample: cD1m0MfljP.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 72 65 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->65 67 Multi AV Scanner detection for submitted file 2->67 11 cD1m0MfljP.exe 2->11         started        13 cmd.exe 1 2->13         started        16 cmd.exe 1 2->16         started        process3 signatures4 18 cmd.exe 1 11->18         started        79 Uses cmd line tools excessively to alter registry or file data 13->79 22 conhost.exe 13->22         started        24 reg.exe 1 13->24         started        process5 dnsIp6 57 8.8.7.7 GOOGLEUS United States 18->57 69 Uses ping.exe to sleep 18->69 71 Uses cmd line tools excessively to alter registry or file data 18->71 73 Uses ping.exe to check the status of other devices and networks 18->73 26 cD1m0MfljP.exe 18->26         started        28 PING.EXE 1 18->28         started        31 conhost.exe 18->31         started        signatures7 process8 signatures9 33 cmd.exe 1 26->33         started        77 Uses cmd line tools excessively to alter registry or file data 28->77 36 reg.exe 1 1 28->36         started        38 conhost.exe 28->38         started        process10 signatures11 61 Uses ping.exe to sleep 33->61 40 cD1m0MfljP.exe 1 33->40         started        43 conhost.exe 33->43         started        45 PING.EXE 1 33->45         started        63 Creates multiple autostart registry keys 36->63 process12 signatures13 75 Creates multiple autostart registry keys 40->75 47 cmd.exe 1 40->47         started        process14 signatures15 81 Uses ping.exe to sleep 47->81 50 cD1m0MfljP.exe 47->50         started        53 conhost.exe 47->53         started        55 PING.EXE 1 47->55         started        process16 dnsIp17 59 35.166.81.240, 443, 49728, 49741 AMAZON-02US United States 50->59
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6/
Threat name:
Win64.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-03-22 19:29:43 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gnfjsqr7vpcpriilqsdaqidunepuksvb2q7ve2pzjkbkuofchla._file
Verdict:
malicious
Similar samples:
1d25dcba3d5639e4275035eaab8f392fbd8e1c312aa3410da467e563223eef2d
BazarCall
26729effad95a8719e8716cb65aa5d5eb1ab255d4782f0d19471c1be963cffad
BazarCall
3483f717d6c9b903413aa6e1a66f771db14ff7563c4d81ec5b761f50aeea0ea2
BazarCall
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazarCall
624a74c9469e95f404baebd07a8c563baa38e752d391bca5e8894dbc87186388
BazarCall
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece
BazarCall
8a0fbcde56a9a817c10b0fe5ae281f75385c2a28ca271d736484e689c104e96c
BazarCall
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc
BazarCall
d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38
BazarCall
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazarCall
+ 111 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210322-wjbzap2jcn/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Unpacked files
SH256 hash:
e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6
MD5 hash:
a488537f1d95f3cbd78790059dd13bcf
SHA1 hash:
151ce4abe902587339658da0c2c058028a530660
Link:
https://www.unpac.me/results/87361d1d-931d-444d-a603-142b4ddc8d5e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1084392/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1084391/
  
URLhaus
https://urlhaus.abuse.ch/url/1084395/
  
URLhaus
https://urlhaus.abuse.ch/url/1084397/
  
URLhaus
https://urlhaus.abuse.ch/url/1084398/
  
URLhaus
https://urlhaus.abuse.ch/url/1084401/
Cape
Cape
https://www.capesandbox.com/analysis/126285/
  
URLhaus
https://urlhaus.abuse.ch/url/1084698/

Comments