Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-04-2021 03:26
Static task
static1
Behavioral task
behavioral1
Sample
61968c8debeae1e415a485c0b4d79b46.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
61968c8debeae1e415a485c0b4d79b46.exe
Resource
win10v20201028
General
-
Target
61968c8debeae1e415a485c0b4d79b46.exe
-
Size
285KB
-
MD5
61968c8debeae1e415a485c0b4d79b46
-
SHA1
59dd3058a18f6fe59a3951c6f119aaf89d52e30f
-
SHA256
65b652b99cd7ed6bd82bd0f258b03a483e0da9f3314b67fe9728eca76c3d59a2
-
SHA512
15ceac84b2a148eab343f2b7efdee863cf1d97c623592e52c02772d3e498e4c3fae4d8432c21a86dfa66c122e783d71e833218483e05e06016da56432434863e
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/496-3-0x0000000180000000-0x0000000180035000-memory.dmp BazarLoaderVar6 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 426 udguekvi.bazar 370 meveygre.bazar 365 ywuwekyw.bazar 234 evpaavom.bazar 298 waunekre.bazar 376 eksyekvi.bazar 61 meqywyvi.bazar 66 reovavvi.bazar 351 meuwwyre.bazar 280 meovavyw.bazar 397 ewuwwyre.bazar 108 ygguygom.bazar 197 yzuwavom.bazar 272 sovyekyw.bazar 452 udovygyw.bazar 288 yzheekre.bazar 93 avuwavvi.bazar 139 ywumwyvi.bazar 201 meynwyvi.bazar 245 toziavre.bazar 443 reumekre.bazar 113 ekynygvi.bazar 124 wyunwyom.bazar 146 meunavre.bazar 170 omsyavre.bazar 430 wyutwyyw.bazar 43 ersyygyw.bazar 72 eksyygvi.bazar 143 omunygvi.bazar 48 udynygvi.bazar 161 yruwavre.bazar 202 yrvyavom.bazar 211 avguekre.bazar 333 yrpawyom.bazar 357 onvewyom.bazar 215 yrumygom.bazar 227 sosuygyw.bazar 262 yrdyekre.bazar 110 ygvyekyw.bazar 299 viqiavre.bazar 407 ywunekom.bazar 164 viguekvi.bazar 328 viguekom.bazar 363 avguavyw.bazar 83 yrsuwyre.bazar 105 ekguwyre.bazar 320 onhewyyw.bazar 58 wasuavvi.bazar 361 tounwyre.bazar 86 onutekyw.bazar 115 waxyekvi.bazar 237 yzumwyvi.bazar 422 erumwyom.bazar 27 vacationinsydney.bazar 38 ekunwyyw.bazar 259 ygovekre.bazar 414 erqiygyw.bazar 69 soveavom.bazar 222 evsuavyw.bazar 303 ewguekom.bazar 219 reovavre.bazar 31 sydneynewtours.bazar 103 omheygvi.bazar 216 yrovwyre.bazar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 20 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8