Analysis
-
max time kernel
129s -
max time network
126s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
14/10/2020, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
1 (4).exe
Resource
win7v200722
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1 (4).exe
Resource
win10
0 signatures
0 seconds
General
-
Target
1 (4).exe
-
Size
2.1MB
-
MD5
9cd1f319f58c3979399c1779d5a34bc2
-
SHA1
5e231182bb592a76e989e0bab636eb5066ab9f20
-
SHA256
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
-
SHA512
633da47509ab091d356dac14f3467c347c289eceeb56b6dd455cb11c1ba227b2c40d257c968c32288388eca72b8dc5f8def2124c3e571884e59e5e2fa8df22f3
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 1 IoCs
resource yara_rule behavioral1/memory/1600-2-0x0000000140000000-0x0000000140043000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 2 IoCs
resource yara_rule behavioral1/memory/1304-0-0x00000000005E0000-0x0000000000628000-memory.dmp BazarLoaderVar4 behavioral1/memory/1304-1-0x0000000180000000-0x000000018004D000-memory.dmp BazarLoaderVar4 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1304 set thread context of 1600 1304 1 (4).exe 28 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1304 1 (4).exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28 PID 1304 wrote to memory of 1600 1304 1 (4).exe 28