bazarbackdoor | 57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c

General

Target

home.exe
Size

675KB
MD5

7f82baf6acac3e3082e2c22c657e8c0c
SHA1

0b950d2be03ca5ab99c81cc629c434e980cd167a
SHA256

57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c
SHA512

83e1b81eed8656a56c8ff7b9f6e32c03a45e9518b9144d1fe7eda57ecc9898d3dcfeb703d195a4d9e3578ace25085764cf3ce9da68915273fcea0181866e9e61

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 6 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	33	https://hotelmonteleone.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	35	https://lukeschicago.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	38	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	39	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	40	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/4
HTTP URL	41	https://ukmedm.com/da05787325f3822fd6286484e0b8ce1d/2

Blacklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

33 196 cmd.exe
35 196 cmd.exe
38 196 cmd.exe
39 196 cmd.exe
40 196 cmd.exe
41 196 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

home.exe

description pid process target process

PID 3936 set thread context of 196 3936 home.exe cmd.exe

flow	pid	process
33	196	cmd.exe
35	196	cmd.exe
38	196	cmd.exe
39	196	cmd.exe
40	196	cmd.exe
41	196	cmd.exe

description	pid	process	target process
PID 3936 set thread context of 196	3936	home.exe	cmd.exe

Suspicious use of WriteProcessMemory 851 IoCs

Processes:

home.exe

description	pid	process	target process
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe
PID 3936 wrote to memory of 196	3936	home.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\home.exe
"C:\Users\Admin\AppData\Local\Temp\home.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3936

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:196

C:\Users\Admin\AppData\Local\Temp\home.exe
C:\Users\Admin\AppData\Local\Temp\home.exe 4202748185
1⤵
PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-4-0x00007FF648B80000-0x00007FF648BC4000-memory.dmp

Filesize
272KB

Download
memory/196-5-0x00007FF648B9DA28-mapping.dmp

Download
memory/196-6-0x00007FF648B80000-0x00007FF648BC4000-memory.dmp

Filesize
272KB

Download
memory/2920-3-0x0000000000460000-0x000000000048C000-memory.dmp

Filesize
176KB

Download
memory/3936-0-0x0000000001FB0000-0x0000000001FDC000-memory.dmp

Filesize
176KB

Download
memory/3936-1-0x0000000001FE0000-0x000000000200C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing