Analysis
-
max time kernel
126s -
max time network
126s -
platform
windows10_x64 -
resource
win10 -
submitted
14/10/2020, 05:50
Static task
static1
Behavioral task
behavioral1
Sample
1 (4).exe
Resource
win7v200722
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
1 (4).exe
Resource
win10
0 signatures
0 seconds
General
-
Target
1 (4).exe
-
Size
2.1MB
-
MD5
9cd1f319f58c3979399c1779d5a34bc2
-
SHA1
5e231182bb592a76e989e0bab636eb5066ab9f20
-
SHA256
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
-
SHA512
633da47509ab091d356dac14f3467c347c289eceeb56b6dd455cb11c1ba227b2c40d257c968c32288388eca72b8dc5f8def2124c3e571884e59e5e2fa8df22f3
Score
10/10
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 1 IoCs
resource yara_rule behavioral2/memory/1380-2-0x0000000140000000-0x0000000140043000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 2 IoCs
resource yara_rule behavioral2/memory/976-0-0x0000000000750000-0x0000000000798000-memory.dmp BazarLoaderVar4 behavioral2/memory/976-1-0x0000000180000000-0x000000018004D000-memory.dmp BazarLoaderVar4 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 976 set thread context of 1380 976 1 (4).exe 76 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 976 1 (4).exe 976 1 (4).exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76 PID 976 wrote to memory of 1380 976 1 (4).exe 76