bazarbackdoor | c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5

General

Target

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
Size

15.1MB
MD5

e7f0ad7c8740f34c7e8758234852693b
SHA1

1d9335624cae52fa452cb5bf735a447606a617c0
SHA256

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5
SHA512

b7bdc5dd1feb6a33bbb64f5f5d514126e3d523e7b78927d32207028c64639b56817d7e6661557b2cb62d01bdd40ec18226f0d5f24f8d1b245448a6dba75b4dc9

Score

10^/10

backdoor bazarbackdoor

Malware Config

Signatures

BazarBackdoor 4 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	18	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4
HTTP URL	19	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/2
HTTP URL	15	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4
HTTP URL	17	https://bigjamg.xyz/f57f86c4bfa3702d46ba9d6ca684937b/4

Blacklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

15 1956 cmd.exe
17 1956 cmd.exe
18 1956 cmd.exe
19 1956 cmd.exe

flow	pid	process
15	1956	cmd.exe
17	1956	cmd.exe
18	1956	cmd.exe
19	1956	cmd.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exec1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe

description	pid	process	target process
PID 1248 set thread context of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1964 set thread context of 1088	1964	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe

Suspicious use of WriteProcessMemory 1704 IoCs

Processes:

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe

description	pid	process	target process
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 1248 wrote to memory of 1956	1248	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
"C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:1956

C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe 436627563
1⤵
- Suspicious use of SetThreadContext
PID:1964

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-9-0x000000004A69D968-mapping.dmp

Download
memory/1248-0-0x00000000012C0000-0x00000000012ED000-memory.dmp

Filesize
180KB

Download
memory/1248-1-0x0000000140000000-0x000000014002E000-memory.dmp

Filesize
184KB

Download
memory/1628-2-0x000007FEF7FA0000-0x000007FEF821A000-memory.dmp

Filesize
2.5MB

Download
memory/1956-3-0x000000004A680000-0x000000004A6C4000-memory.dmp

Filesize
272KB

Download
memory/1956-4-0x000000004A69D968-mapping.dmp

Download
memory/1956-5-0x000000004A680000-0x000000004A6C4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads