bazarbackdoor | 09557d538aee094d168a4b4fb5174d742fe81dd59dd27e2eee078fb3f10d9017 | Triage

Analysis

max time kernel
128s
max time network
129s
platform
windows10_x64
resource
win10v200722
submitted
15-09-2020 20:31

Sharing

Report Analysis Logs

General

Target

Print_Preview.exe
Size

569KB
MD5

951acc18e4f14471f49235327e0c1ccc
SHA1

7fbe0b3af47957234f3fe22ae9de37ea7416c573
SHA256

09557d538aee094d168a4b4fb5174d742fe81dd59dd27e2eee078fb3f10d9017
SHA512

779b99299928b64eb777cec3c92364e1e7bb30f6192a88773d2521c6dc3a5000062a26418069819e4590b85d717041553aed214dc4ac68fa74825f6b565e25f7

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/64-11-0x0000000140000000-0x0000000140040000-memory.dmp	BazarBackdoorVar4

Suspicious use of SetThreadContext 1 IoCs

Processes:

Print_Preview.exe

description pid process target process

PID 2584 set thread context of 64 2584 Print_Preview.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Print_Preview.exe

pid process

2584 Print_Preview.exe
2584 Print_Preview.exe
2584 Print_Preview.exe
2584 Print_Preview.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

Print_Preview.exe

description	pid	process	target process
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe
PID 2584 wrote to memory of 64	2584	Print_Preview.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Print_Preview.exe
"C:\Users\Admin\AppData\Local\Temp\Print_Preview.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SYSTEM32\cmd.exe
  "cmd"
  2⤵
  PID:64

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-11-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2584-0-0x0000000000500000-0x0000000000528000-memory.dmp

Filesize
160KB

Download
memory/2584-1-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download