Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-04-2021 03:26

General

  • Target

    61968c8debeae1e415a485c0b4d79b46.exe

  • Size

    285KB

  • MD5

    61968c8debeae1e415a485c0b4d79b46

  • SHA1

    59dd3058a18f6fe59a3951c6f119aaf89d52e30f

  • SHA256

    65b652b99cd7ed6bd82bd0f258b03a483e0da9f3314b67fe9728eca76c3d59a2

  • SHA512

    15ceac84b2a148eab343f2b7efdee863cf1d97c623592e52c02772d3e498e4c3fae4d8432c21a86dfa66c122e783d71e833218483e05e06016da56432434863e

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

  • Bazar/Team9 Loader payload 1 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Users\Admin\AppData\Local\Temp\61968c8debeae1e415a485c0b4d79b46.exe
    "C:\Users\Admin\AppData\Local\Temp\61968c8debeae1e415a485c0b4d79b46.exe"
    1⤵
      PID:496

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/496-2-0x00007FF65DED0000-0x00007FF65DF1A000-memory.dmp
      Filesize

      296KB

    • memory/496-3-0x0000000180000000-0x0000000180035000-memory.dmp
      Filesize

      212KB