bazarbackdoor | fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f

General

Target

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
Size

365KB
MD5

157e256ee99b5ae2eb0b4663ea3bd3ca
SHA1

11b315dab07ab1398962596770d9d26e46770f6a
SHA256

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f
SHA512

1bad7c718c09082853559cac0863a63ae6a8ffb37ae2a31435ed603487f2197384b8ab8c055208d7f58716c3f6cd4942d0d4c0bae1673023cbf18fd49cbe1708

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader 4 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

Processes:

svchost.exe

description	flow	ioc
HTTP URL	14	https://85.143.221.85/api/v140
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe
HTTP URL	10	https://85.143.221.85/api/v138
HTTP URL	13	https://85.143.221.85/api/v138

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/500-2-0x0000000140000000-0x0000000140040000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/500-3-0x0000000140017F2C-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/500-4-0x0000000140000000-0x0000000140040000-memory.dmp	BazarBackdoorVar4

Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

description flow ioc

HTTP URL 10 https://85.143.221.85/api/v138
HTTP URL 13 https://85.143.221.85/api/v138
HTTP URL 14 https://85.143.221.85/api/v140
Suspicious use of SetThreadContext 1 IoCs

Processes:

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe

description pid process target process

PID 796 set thread context of 500 796 fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe cmd.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe

description	flow	ioc
HTTP URL	10	https://85.143.221.85/api/v138
HTTP URL	13	https://85.143.221.85/api/v138
HTTP URL	14	https://85.143.221.85/api/v140

description	pid	process	target process
PID 796 set thread context of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = a5e787be4f87d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe

pid	process
796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 1504 svchost.exe
Token: SeCreatePagefilePrivilege 1504 svchost.exe

description	pid	process
Token: SeShutdownPrivilege	1504	svchost.exe
Token: SeCreatePagefilePrivilege	1504	svchost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe

description	pid	process	target process
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe
PID 796 wrote to memory of 500	796	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
"C:\Users\Admin\AppData\Local\Temp\fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SYSTEM32\cmd.exe
  "cmd"
  2⤵
  PID:500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Bazar Loader
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1504

C:\Users\Admin\AppData\Local\Temp\fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
"C:\Users\Admin\AppData\Local\Temp\fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe" -r {D448E590-4126-4AE1-9251-68D2CC94D128}
1⤵
PID:2960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/500-2-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/500-3-0x0000000140017F2C-mapping.dmp

Download
memory/500-4-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/796-0-0x000002EE0BEA0000-0x000002EE0BEBF000-memory.dmp

Filesize
124KB

Download
memory/796-1-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads