bazarbackdoor | df25322be14f617652607a150c806b4ecb3a3317564755518b8100063b58a50e

General

Target

efdf344f4fdsdff.exe
Size

671KB
MD5

8f62ed60962df60d1d11c6e2a97a3a6e
SHA1

d7a80002dba75d642cd05f094110e147541f2058
SHA256

df25322be14f617652607a150c806b4ecb3a3317564755518b8100063b58a50e
SHA512

3b8b5dcf317eb0a5dd061832fa8bc6eb6b1aa290104423b02c3e9b6cd4a5744c1922010478603b545470f303ee4eb65f17d494a5e222b382cd922a7fd75f7080

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 6 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	33	https://hotelmonteleone.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	35	https://lukeschicago.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	37	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	38	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	39	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	40	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/2

Blacklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

33 3504 cmd.exe
35 3504 cmd.exe
37 3504 cmd.exe
38 3504 cmd.exe
39 3504 cmd.exe
40 3504 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

efdf344f4fdsdff.exe

description pid process target process

PID 984 set thread context of 3504 984 efdf344f4fdsdff.exe cmd.exe

flow	pid	process
33	3504	cmd.exe
35	3504	cmd.exe
37	3504	cmd.exe
38	3504	cmd.exe
39	3504	cmd.exe
40	3504	cmd.exe

description	pid	process	target process
PID 984 set thread context of 3504	984	efdf344f4fdsdff.exe	cmd.exe

Suspicious use of WriteProcessMemory 851 IoCs

Processes:

efdf344f4fdsdff.exe

description	pid	process	target process
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe
PID 984 wrote to memory of 3504	984	efdf344f4fdsdff.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\efdf344f4fdsdff.exe
"C:\Users\Admin\AppData\Local\Temp\efdf344f4fdsdff.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:3504

C:\Users\Admin\AppData\Local\Temp\efdf344f4fdsdff.exe
C:\Users\Admin\AppData\Local\Temp\efdf344f4fdsdff.exe 3307092196
1⤵
PID:2588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/984-0-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/984-1-0x0000000000530000-0x000000000055C000-memory.dmp

Filesize
176KB

Download
memory/3504-4-0x00007FF7B2070000-0x00007FF7B20B4000-memory.dmp

Filesize
272KB

Download
memory/3504-5-0x00007FF7B208DA28-mapping.dmp

Download
memory/3504-6-0x00007FF7B2070000-0x00007FF7B20B4000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing