Resubmissions

08-01-2021 20:20

210108-d7nz4lexjx 10

08-01-2021 19:57

210108-pczb4ap9b2 10

08-01-2021 18:59

210108-nq3nfzhbb2 10

General

  • Target

    file.exe

  • Size

    550KB

  • Sample

    210108-pczb4ap9b2

  • MD5

    8a528ec7943727678bac5b9f1b74627a

  • SHA1

    05cbef6bd0992e3532a3c597957f821140b61b94

  • SHA256

    d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38

  • SHA512

    1826277c68ed8a3ae957ec5286d59717445f1c50a471fb45f50197cbce9cd4e1eb602c40ca8218a5e7e2e145112e21c43f45ccb9d7c82fa6e933a83697bfe587

Malware Config

Targets

    • Target

      file.exe

    • Size

      550KB

    • MD5

      8a528ec7943727678bac5b9f1b74627a

    • SHA1

      05cbef6bd0992e3532a3c597957f821140b61b94

    • SHA256

      d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38

    • SHA512

      1826277c68ed8a3ae957ec5286d59717445f1c50a471fb45f50197cbce9cd4e1eb602c40ca8218a5e7e2e145112e21c43f45ccb9d7c82fa6e933a83697bfe587

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Remote System Discovery

2
T1018

Process Discovery

1
T1057

Tasks