bazarbackdoor | 0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789

General

Target

8d35e058f5631c80b00dd695511878e3.exe
Size

12.0MB
MD5

8d35e058f5631c80b00dd695511878e3
SHA1

8103299196efabec8ec0fc1d25f1332241b93220
SHA256

0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789
SHA512

be5a25d3a6d1ead76fcb7e72a5150e2ba267354e2fedfd646a823cb096ed24132cc44b2d5cc2c926aed7ce01179d76ceb4d57a2b8e03950cb9d844a2704ca6f7

Score

10^/10

backdoor bazarbackdoor

Malware Config

Signatures

BazarBackdoor 4 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	16	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/4
HTTP URL	18	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/4
HTTP URL	19	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/4
HTTP URL	20	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/2

Blacklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

16 1296 cmd.exe
18 1296 cmd.exe
19 1296 cmd.exe
20 1296 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

8d35e058f5631c80b00dd695511878e3.exe

description pid process target process

PID 3828 set thread context of 1296 3828 8d35e058f5631c80b00dd695511878e3.exe cmd.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8d35e058f5631c80b00dd695511878e3.exe8d35e058f5631c80b00dd695511878e3.exe

pid process

3828 8d35e058f5631c80b00dd695511878e3.exe
824 8d35e058f5631c80b00dd695511878e3.exe

flow	pid	process
16	1296	cmd.exe
18	1296	cmd.exe
19	1296	cmd.exe
20	1296	cmd.exe

description	pid	process	target process
PID 3828 set thread context of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe

pid	process
3828	8d35e058f5631c80b00dd695511878e3.exe
824	8d35e058f5631c80b00dd695511878e3.exe

Suspicious use of WriteProcessMemory 851 IoCs

Processes:

8d35e058f5631c80b00dd695511878e3.exe

description	pid	process	target process
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe
PID 3828 wrote to memory of 1296	3828	8d35e058f5631c80b00dd695511878e3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe
"C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:1296

C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe
C:\Users\Admin\AppData\Local\Temp\8d35e058f5631c80b00dd695511878e3.exe 3636727457
1⤵
- Suspicious use of SetWindowsHookEx
PID:824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/824-3-0x0000000000460000-0x000000000048E000-memory.dmp

Filesize
184KB

Download
memory/1296-4-0x00007FF6EAA50000-0x00007FF6EAA94000-memory.dmp

Filesize
272KB

Download
memory/1296-5-0x00007FF6EAA6D968-mapping.dmp

Download
memory/1296-6-0x00007FF6EAA50000-0x00007FF6EAA94000-memory.dmp

Filesize
272KB

Download
memory/3828-0-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/3828-1-0x0000000000490000-0x00000000004BE000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing