bazarbackdoor | 57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c

General

Target

home.exe
Size

675KB
MD5

7f82baf6acac3e3082e2c22c657e8c0c
SHA1

0b950d2be03ca5ab99c81cc629c434e980cd167a
SHA256

57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c
SHA512

83e1b81eed8656a56c8ff7b9f6e32c03a45e9518b9144d1fe7eda57ecc9898d3dcfeb703d195a4d9e3578ace25085764cf3ce9da68915273fcea0181866e9e61

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 6 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	43	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	44	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	45	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	46	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/2
HTTP URL	39	https://hotelmonteleone.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	41	https://lukeschicago.com/da05787325f3822fd6286484e0b8ce1d/4

Blacklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

39 4252 cmd.exe
41 4252 cmd.exe
43 4252 cmd.exe
44 4252 cmd.exe
45 4252 cmd.exe
46 4252 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

home.exe

description pid process target process

PID 4704 set thread context of 4252 4704 home.exe cmd.exe

flow	pid	process
39	4252	cmd.exe
41	4252	cmd.exe
43	4252	cmd.exe
44	4252	cmd.exe
45	4252	cmd.exe
46	4252	cmd.exe

description	pid	process	target process
PID 4704 set thread context of 4252	4704	home.exe	cmd.exe

Suspicious use of WriteProcessMemory 851 IoCs

Processes:

home.exe

description	pid	process	target process
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe
PID 4704 wrote to memory of 4252	4704	home.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\home.exe
"C:\Users\Admin\AppData\Local\Temp\home.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4704

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:4252

C:\Users\Admin\AppData\Local\Temp\home.exe
C:\Users\Admin\AppData\Local\Temp\home.exe 2958443968
1⤵
PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-3-0x0000000002000000-0x000000000202C000-memory.dmp

Filesize
176KB

Download
memory/4252-5-0x00007FF76C53DA28-mapping.dmp

Download
memory/4252-4-0x00007FF76C520000-0x00007FF76C564000-memory.dmp

Filesize
272KB

Download
memory/4252-6-0x00007FF76C520000-0x00007FF76C564000-memory.dmp

Filesize
272KB

Download
memory/4704-0-0x0000000000500000-0x000000000052C000-memory.dmp

Filesize
176KB

Download
memory/4704-1-0x0000000000530000-0x000000000055C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing