Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-04-2021 04:47
Static task
static1
Behavioral task
behavioral1
Sample
dl8.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
dl8.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
dl8.exe
-
Size
271KB
-
MD5
0a6e27aa3415f502af6585bddf7e0d3e
-
SHA1
a8bdb01ef8a6e75ec200c5d4f6d9f32539dca9f2
-
SHA256
210c46aae3d71ecbac79447d124d895dded804c08342b17258cd4b400b0bebe0
-
SHA512
abd3b3d4e6251fe5231bf45186b43cb1d4aa5dc36fd79e71e4bf010d9adfbf2c6837d4606795be97a00911cd5d06326d7ed38656dbe7827ed33a59b0f140d479
Score
8/10
Malware Config
Signatures
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 64 rareanimalsofcanada18.bazar 119 rareanimalsofcanada18.bazar 122 rareanimalsofcanada18.bazar 93 rareanimalsofcanada18.bazar 124 rareanimalsofcanada18.bazar 41 rareanimalsofcanada18.bazar 70 rareanimalsofcanada18.bazar 79 rareanimalsofcanada18.bazar 89 rareanimalsofcanada18.bazar 102 rareanimalsofcanada18.bazar 117 rareanimalsofcanada18.bazar 54 wildwinternature.bazar 58 coldmountainsanimals.bazar 59 coldmountainsanimals.bazar 92 rareanimalsofcanada18.bazar 97 rareanimalsofcanada18.bazar 48 wildwinternature.bazar 62 coldmountainsanimals.bazar 66 rareanimalsofcanada18.bazar 78 rareanimalsofcanada18.bazar 88 rareanimalsofcanada18.bazar 109 rareanimalsofcanada18.bazar 126 rareanimalsofcanada18.bazar 91 rareanimalsofcanada18.bazar 94 rareanimalsofcanada18.bazar 103 rareanimalsofcanada18.bazar 105 rareanimalsofcanada18.bazar 39 rareanimalsofcanada18.bazar 63 rareanimalsofcanada18.bazar 73 rareanimalsofcanada18.bazar 77 rareanimalsofcanada18.bazar 71 rareanimalsofcanada18.bazar 112 rareanimalsofcanada18.bazar 115 rareanimalsofcanada18.bazar 123 rareanimalsofcanada18.bazar 44 rareanimalsofcanada18.bazar 51 wildwinternature.bazar 61 coldmountainsanimals.bazar 67 rareanimalsofcanada18.bazar 90 rareanimalsofcanada18.bazar 113 rareanimalsofcanada18.bazar 47 wildwinternature.bazar 49 wildwinternature.bazar 53 wildwinternature.bazar 69 rareanimalsofcanada18.bazar 130 rareanimalsofcanada18.bazar 55 coldmountainsanimals.bazar 98 rareanimalsofcanada18.bazar 99 rareanimalsofcanada18.bazar 106 rareanimalsofcanada18.bazar 40 rareanimalsofcanada18.bazar 96 rareanimalsofcanada18.bazar 100 rareanimalsofcanada18.bazar 108 rareanimalsofcanada18.bazar 72 rareanimalsofcanada18.bazar 74 rareanimalsofcanada18.bazar 80 rareanimalsofcanada18.bazar 84 rareanimalsofcanada18.bazar 56 coldmountainsanimals.bazar 57 coldmountainsanimals.bazar 60 coldmountainsanimals.bazar 65 rareanimalsofcanada18.bazar 131 rareanimalsofcanada18.bazar 46 rareanimalsofcanada18.bazar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 32 https://api.opennicproject.org/geoip/?bare&ipv=4 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
dl8.exedescription pid process target process PID 1144 wrote to memory of 1660 1144 dl8.exe dl8.exe PID 1144 wrote to memory of 1660 1144 dl8.exe dl8.exe PID 1144 wrote to memory of 1660 1144 dl8.exe dl8.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl8.exe"C:\Users\Admin\AppData\Local\Temp\dl8.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dl8.exe"C:\Users\Admin\AppData\Local\Temp\dl8.exe"2⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵