Analysis Overview
SHA256
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
Threat Level: Known bad
The file 1 (4) was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
BazarBackdoor
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-04-08 14:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-14 05:50
Reported
2020-10-14 05:52
Platform
win7v200722
Max time kernel
129s
Max time network
126s
Command Line
Signatures
Bazar Loader
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1304 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Local\Temp\1 (4).exe | C:\Windows\system32\cmd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1 (4).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1 (4).exe
"C:\Users\Admin\AppData\Local\Temp\1 (4).exe"
C:\Windows\system32\cmd.exe
"cmd"
Network
| Country | Destination | Domain | Proto |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
Files
memory/1304-0-0x00000000005E0000-0x0000000000628000-memory.dmp
memory/1304-1-0x0000000180000000-0x000000018004D000-memory.dmp
memory/1600-2-0x0000000140000000-0x0000000140043000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-14 05:50
Reported
2020-10-14 05:52
Platform
win10
Max time kernel
126s
Max time network
126s
Command Line
Signatures
Bazar Loader
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 976 set thread context of 1380 | N/A | C:\Users\Admin\AppData\Local\Temp\1 (4).exe | C:\Windows\SYSTEM32\cmd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1 (4).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1 (4).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1 (4).exe
"C:\Users\Admin\AppData\Local\Temp\1 (4).exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd"
Network
| Country | Destination | Domain | Proto |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
Files
memory/976-0-0x0000000000750000-0x0000000000798000-memory.dmp
memory/976-1-0x0000000180000000-0x000000018004D000-memory.dmp
memory/1380-2-0x0000000140000000-0x0000000140043000-memory.dmp