bazarbackdoor | 57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c

General

Target

home.exe
Size

675KB
MD5

7f82baf6acac3e3082e2c22c657e8c0c
SHA1

0b950d2be03ca5ab99c81cc629c434e980cd167a
SHA256

57b1478167911e633c9480852e6e8e87691c9f8a31201fbd25a70ab42c07808c
SHA512

83e1b81eed8656a56c8ff7b9f6e32c03a45e9518b9144d1fe7eda57ecc9898d3dcfeb703d195a4d9e3578ace25085764cf3ce9da68915273fcea0181866e9e61

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 6 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	47	https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/4
HTTP URL	48	https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/2
HTTP URL	41	https://hotelmonteleone.com/6ea5901ae1272735f9e012d6c17ecc4d/4
HTTP URL	43	https://lukeschicago.com/6ea5901ae1272735f9e012d6c17ecc4d/4
HTTP URL	45	https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/4
HTTP URL	46	https://ukmedm.com/6ea5901ae1272735f9e012d6c17ecc4d/4

Blacklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

41 188 cmd.exe
43 188 cmd.exe
45 188 cmd.exe
46 188 cmd.exe
47 188 cmd.exe
48 188 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

home.exe

description pid process target process

PID 412 set thread context of 188 412 home.exe cmd.exe

flow	pid	process
41	188	cmd.exe
43	188	cmd.exe
45	188	cmd.exe
46	188	cmd.exe
47	188	cmd.exe
48	188	cmd.exe

description	pid	process	target process
PID 412 set thread context of 188	412	home.exe	cmd.exe

Suspicious use of WriteProcessMemory 851 IoCs

Processes:

home.exe

description	pid	process	target process
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe
PID 412 wrote to memory of 188	412	home.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\home.exe
"C:\Users\Admin\AppData\Local\Temp\home.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blacklisted process makes network request
PID:188

C:\Users\Admin\AppData\Local\Temp\home.exe
C:\Users\Admin\AppData\Local\Temp\home.exe 340944805
1⤵
PID:3716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/188-5-0x00007FF60071DA28-mapping.dmp

Download
memory/188-4-0x00007FF600700000-0x00007FF600744000-memory.dmp

Filesize
272KB

Download
memory/188-6-0x00007FF600700000-0x00007FF600744000-memory.dmp

Filesize
272KB

Download
memory/412-0-0x0000000001FC0000-0x0000000001FEC000-memory.dmp

Filesize
176KB

Download
memory/412-1-0x0000000001FF0000-0x000000000201C000-memory.dmp

Filesize
176KB

Download
memory/3716-3-0x0000000001FD0000-0x0000000001FFC000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing