bazarbackdoor | 0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789

General

Target

8d35e058f5631c80b00dd695511878e3.exe
Size

12.0MB
MD5

8d35e058f5631c80b00dd695511878e3
SHA1

8103299196efabec8ec0fc1d25f1332241b93220
SHA256

0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789
SHA512

be5a25d3a6d1ead76fcb7e72a5150e2ba267354e2fedfd646a823cb096ed24132cc44b2d5cc2c926aed7ce01179d76ceb4d57a2b8e03950cb9d844a2704ca6f7

Score

10^/10

backdoor bazarbackdoor

Malware Config

Signatures

BazarBackdoor 4 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	16	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/2
HTTP URL	13	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4
HTTP URL	14	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4
HTTP URL	15	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4

Blacklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

13 1112 cmd.exe
14 1112 cmd.exe
15 1112 cmd.exe
16 1112 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

8d35e058f5631c80b00dd695511878e3.exe

description pid process target process

PID 1516 set thread context of 1112 1516 8d35e058f5631c80b00dd695511878e3.exe cmd.exe

flow	pid	process
13	1112	cmd.exe
14	1112	cmd.exe
15	1112	cmd.exe
16	1112	cmd.exe

description	pid	process	target process
PID 1516 set thread context of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

8d35e058f5631c80b00dd695511878e3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	8d35e058f5631c80b00dd695511878e3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	8d35e058f5631c80b00dd695511878e3.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8d35e058f5631c80b00dd695511878e3.exe8d35e058f5631c80b00dd695511878e3.exe

pid process

1516 8d35e058f5631c80b00dd695511878e3.exe
1492 8d35e058f5631c80b00dd695511878e3.exe

pid	process
1516	8d35e058f5631c80b00dd695511878e3.exe
1492	8d35e058f5631c80b00dd695511878e3.exe

Suspicious use of WriteProcessMemory 852 IoCs

Processes:

8d35e058f5631c80b00dd695511878e3.exe

description	pid	process	target process
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 1516 wrote to memory of 1112	1516	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe
"C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:1112

C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe
C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe 621077893
1⤵
- Suspicious use of SetWindowsHookEx
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-5-0x0000000049EC0000-0x0000000049F04000-memory.dmp

Filesize
272KB

Download
memory/1112-6-0x0000000049EDD968-mapping.dmp

Download
memory/1112-7-0x0000000049EC0000-0x0000000049F04000-memory.dmp

Filesize
272KB

Download
memory/1492-4-0x0000000001D00000-0x0000000001D2E000-memory.dmp

Filesize
184KB

Download
memory/1516-0-0x0000000001D40000-0x0000000001D6D000-memory.dmp

Filesize
180KB

Download
memory/1516-1-0x0000000001D70000-0x0000000001D9E000-memory.dmp

Filesize
184KB

Download
memory/1628-2-0x000007FEF8560000-0x000007FEF87DA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads