bazarbackdoor | c486be4ea4d6785b739cffaa64573e897f26284e5b0971d5ce5ae2eae43a1930 | Triage

Analysis

max time kernel
150s
max time network
151s
platform
windows10_x64
resource
win10v20201028
submitted
08-11-2020 14:08

Sharing

Report Analysis Logs

General

Target

c486be4ea4d6785b739cffaa64573e897f26284e5b0971d5ce5ae2eae43a1930.exe
Size

243KB
MD5

c64e86d432038f1045d0c8cdc85e05ae
SHA1

e8e51f8717c377ca1063b8c38b0c69281977c805
SHA256

c486be4ea4d6785b739cffaa64573e897f26284e5b0971d5ce5ae2eae43a1930
SHA512

4c3f7ad76c082aefe4450d4978b605b8c372475abfe2105a51d11b99f9e46bc5972b4e7c0cdc5323f57a0656c5ce58fe757eaf97d69032185a2032436e3c59fd

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 1 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Processes:

description flow ioc

HTTP URL 19 https://45.148.120.173/6ea5901ae1272735f9e012d6c17ecc4d/4

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description	flow	ioc
HTTP URL	312	https://api.opennicproject.org/geoip/
HTTP URL	384	https://api.opennicproject.org/geoip/
HTTP URL	28	https://api.opennicproject.org/geoip/
HTTP URL	99	https://api.opennicproject.org/geoip/
HTTP URL	170	https://api.opennicproject.org/geoip/
HTTP URL	241	https://api.opennicproject.org/geoip/

C:\Users\Admin\AppData\Local\Temp\c486be4ea4d6785b739cffaa64573e897f26284e5b0971d5ce5ae2eae43a1930.exe
"C:\Users\Admin\AppData\Local\Temp\c486be4ea4d6785b739cffaa64573e897f26284e5b0971d5ce5ae2eae43a1930.exe"
1⤵
PID:648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...