bazarbackdoor | 54c3e01a3dee75c7137c63a25915b7bec1876a8fc65047eff99b97d9ca6cd5c6

Analysis

Target

SecuriteInfo.com.A.16433.exe
Size

253KB
MD5

f58843af873716aeee6e9e74ff8918ca
SHA1

8fb3aba6f5610c465e6fa4f87638fc706b2bcf63
SHA256

54c3e01a3dee75c7137c63a25915b7bec1876a8fc65047eff99b97d9ca6cd5c6
SHA512

3dc3413064112266ac303a2691c024c40fb914593e0622cb970ea367b5f03d60a7355f0a37064e5da4369dc4c7e545c7df7272943ffc6007f0cbede2cfafbd19

Score

10^/10

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

1636 cmd.exe
1636 cmd.exe

pid	process
1636	cmd.exe
1636	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 1584	1636	cmd.exe	rtynplnp.exe
PID 1636 wrote to memory of 1584	1636	cmd.exe	rtynplnp.exe
PID 1636 wrote to memory of 1584	1636	cmd.exe	rtynplnp.exe

Executes dropped EXE 1 IoCs

Processes:

rtynplnp.exe

pid process

1584 rtynplnp.exe
BazarBackdoor
Stealthy backdoor targetting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

pid	process
1584	rtynplnp.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.A.16433.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.A.16433.exe"
1⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\rtynplnp.exe
"C:\Users\Admin\AppData\Local\Temp\rtynplnp.exe" -z {20F00099-19EE-4E23-BE8B-3E77BBF6151E}
2⤵
- Executes dropped EXE
PID:1584

C:\Users\Admin\AppData\Local\Temp\rtynplnp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\rtynplnp.exe

Download Submit
\Users\Admin\AppData\Local\Temp\rtynplnp.exe

Download Submit
memory/1448-0-0x00000000001F0000-0x0000000000211000-memory.dmp

Filesize
132KB

Download
memory/1584-3-0x0000000000000000-mapping.dmp

Download
memory/1584-4-0x0000000000000000-mapping.dmp

Download
memory/1584-6-0x0000000000410000-0x0000000000431000-memory.dmp

Filesize
132KB

Download