bazarbackdoor | c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5

General

Target

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
Size

15.1MB
MD5

e7f0ad7c8740f34c7e8758234852693b
SHA1

1d9335624cae52fa452cb5bf735a447606a617c0
SHA256

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5
SHA512

b7bdc5dd1feb6a33bbb64f5f5d514126e3d523e7b78927d32207028c64639b56817d7e6661557b2cb62d01bdd40ec18226f0d5f24f8d1b245448a6dba75b4dc9

Score

10^/10

backdoor bazarbackdoor

Malware Config

Signatures

BazarBackdoor 4 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	16	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/4
HTTP URL	17	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/4
HTTP URL	18	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/4
HTTP URL	19	https://bigjamg.xyz/e23162ea80ec21eefb8502e6aee22143/2

Blacklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

16 2064 cmd.exe
17 2064 cmd.exe
18 2064 cmd.exe
19 2064 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe

description pid process target process

PID 384 set thread context of 2064 384 c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe cmd.exe

flow	pid	process
16	2064	cmd.exe
17	2064	cmd.exe
18	2064	cmd.exe
19	2064	cmd.exe

description	pid	process	target process
PID 384 set thread context of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe

Suspicious use of WriteProcessMemory 851 IoCs

Processes:

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe

description	pid	process	target process
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe
PID 384 wrote to memory of 2064	384	c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
"C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:384

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:2064

C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe
C:\Users\Admin\AppData\Local\Temp\c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5.exe 4129359232
1⤵
PID:1248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/384-0-0x0000000003400000-0x000000000342D000-memory.dmp

Filesize
180KB

Download
memory/384-1-0x0000000140000000-0x000000014002E000-memory.dmp

Filesize
184KB

Download
memory/2064-4-0x00007FF76DAA0000-0x00007FF76DAE4000-memory.dmp

Filesize
272KB

Download
memory/2064-5-0x00007FF76DABD968-mapping.dmp

Download
memory/2064-6-0x00007FF76DAA0000-0x00007FF76DAE4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing