bazarbackdoor | dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b

General

Target

dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b.exe
Size

138KB
MD5

f8a6a57565e96f36ad837adbc5e134b9
SHA1

f3a749602f84db021888f2c4dda1d2221697c9b0
SHA256

dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b
SHA512

bebbddf4143faadd2f40377bde2bd3044b30132dcea6b47b791db6a98e5af431205243652d6bf51a3d08e5a59421c09aef03978eaa34e4dcba0390a787b2e588

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 1 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Processes:

description flow ioc

HTTP URL 9 https://178.170.221.111/0119123668850797652500747914470946493774/2

description	flow	ioc
HTTP URL	9	https://178.170.221.111/0119123668850797652500747914470946493774/2

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
89	dcegjlddggjn.bazar
138	dcegjlddggjn.bazar
175	bdegjkbeggjm.bazar
111	dcegjlddggjn.bazar
181	bdegjkbeggjm.bazar
93	dcegjlddggjn.bazar
103	dcegjlddggjn.bazar
147	dcegjlddggjn.bazar
153	dcegjlddggjn.bazar
216	bdegjkbeggjm.bazar
238	ddehimdeghio.bazar
118	dcegjlddggjn.bazar
122	dcegjlddggjn.bazar
170	bdegjkbeggjm.bazar
185	bdegjkbeggjm.bazar
195	bdegjkbeggjm.bazar
108	dcegjlddggjn.bazar
172	bdegjkbeggjm.bazar
201	bdegjkbeggjm.bazar
204	bdegjkbeggjm.bazar
223	bdegjkbeggjm.bazar
119	dcegjlddggjn.bazar
161	bdegjkbeggjm.bazar
249	ddehimdeghio.bazar
94	dcegjlddggjn.bazar
109	dcegjlddggjn.bazar
112	dcegjlddggjn.bazar
177	bdegjkbeggjm.bazar
202	bdegjkbeggjm.bazar
188	bdegjkbeggjm.bazar
197	bdegjkbeggjm.bazar
213	bdegjkbeggjm.bazar
190	bdegjkbeggjm.bazar
245	ddehimdeghio.bazar
132	dcegjlddggjn.bazar
180	bdegjkbeggjm.bazar
211	bdegjkbeggjm.bazar
250	ddehimdeghio.bazar
252	ddehimdeghio.bazar
96	dcegjlddggjn.bazar
145	dcegjlddggjn.bazar
183	bdegjkbeggjm.bazar
193	bdegjkbeggjm.bazar
196	bdegjkbeggjm.bazar
227	ddehimdeghio.bazar
176	bdegjkbeggjm.bazar
123	dcegjlddggjn.bazar
127	dcegjlddggjn.bazar
240	ddehimdeghio.bazar
121	dcegjlddggjn.bazar
130	dcegjlddggjn.bazar
228	ddehimdeghio.bazar
254	ddehimdeghio.bazar
178	bdegjkbeggjm.bazar
198	bdegjkbeggjm.bazar
105	dcegjlddggjn.bazar
134	dcegjlddggjn.bazar
141	dcegjlddggjn.bazar
155	dcegjlddggjn.bazar
163	bdegjkbeggjm.bazar
171	bdegjkbeggjm.bazar
234	ddehimdeghio.bazar
241	ddehimdeghio.bazar
139	dcegjlddggjn.bazar

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa22000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95	dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C	dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b.exe

C:\Users\Admin\AppData\Local\Temp\dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b.exe
"C:\Users\Admin\AppData\Local\Temp\dbe15556f3ead1477d262e504d1e9c63346ef7f4b368eaa7f9b9ec41ee24a91b.exe"
1⤵
- Modifies system certificate store
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads