Analysis Overview
SHA256
a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
Threat Level: Known bad
The file 1 (8) was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
BazarBackdoor
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2021-04-08 14:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-14 05:50
Reported
2020-10-14 05:52
Platform
win7
Max time kernel
128s
Max time network
136s
Command Line
Signatures
Bazar Loader
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1440 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\1 (8).exe | C:\Windows\system32\cmd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1 (8).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1 (8).exe
"C:\Users\Admin\AppData\Local\Temp\1 (8).exe"
C:\Windows\system32\cmd.exe
"cmd"
Network
| Country | Destination | Domain | Proto |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
| N/A | 34.221.202.231:443 | 34.221.202.231 | tcp |
Files
memory/1440-0-0x0000000000730000-0x0000000000778000-memory.dmp
memory/1440-1-0x0000000180000000-0x000000018004D000-memory.dmp
memory/1936-2-0x0000000140000000-0x0000000140043000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-14 05:50
Reported
2020-10-14 05:52
Platform
win10v200722
Max time kernel
126s
Max time network
129s
Command Line
Signatures
Bazar Loader
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1568 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\Temp\1 (8).exe | C:\Windows\SYSTEM32\cmd.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1 (8).exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1 (8).exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1 (8).exe
"C:\Users\Admin\AppData\Local\Temp\1 (8).exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd"
Network
| Country | Destination | Domain | Proto |
| N/A | 34.221.202.231:443 | tcp | |
| N/A | 34.221.202.231:443 | tcp | |
| N/A | 34.221.202.231:443 | tcp |
Files
memory/1568-0-0x0000000000750000-0x0000000000798000-memory.dmp
memory/1568-1-0x0000000180000000-0x000000018004D000-memory.dmp
memory/3068-2-0x0000000140000000-0x0000000140043000-memory.dmp