210c46aae3d71ecbac79447d124d895dded804c08342b17258cd4b400b0bebe0

Resubmissions

08-04-2021 06:31

210408-rf4c3mtwdx 10

07-04-2021 04:47

210407-l95ennpj9x 8

Analysis

max time kernel
150s
max time network
152s
platform
windows10_x64
resource
win10v20201028
submitted
07-04-2021 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl8.exe
Size

271KB
MD5

0a6e27aa3415f502af6585bddf7e0d3e
SHA1

a8bdb01ef8a6e75ec200c5d4f6d9f32539dca9f2
SHA256

210c46aae3d71ecbac79447d124d895dded804c08342b17258cd4b400b0bebe0
SHA512

abd3b3d4e6251fe5231bf45186b43cb1d4aa5dc36fd79e71e4bf010d9adfbf2c6837d4606795be97a00911cd5d06326d7ed38656dbe7827ed33a59b0f140d479

Score

8^/10

Malware Config

Signatures

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
64	rareanimalsofcanada18.bazar
119	rareanimalsofcanada18.bazar
122	rareanimalsofcanada18.bazar
93	rareanimalsofcanada18.bazar
124	rareanimalsofcanada18.bazar
41	rareanimalsofcanada18.bazar
70	rareanimalsofcanada18.bazar
79	rareanimalsofcanada18.bazar
89	rareanimalsofcanada18.bazar
102	rareanimalsofcanada18.bazar
117	rareanimalsofcanada18.bazar
54	wildwinternature.bazar
58	coldmountainsanimals.bazar
59	coldmountainsanimals.bazar
92	rareanimalsofcanada18.bazar
97	rareanimalsofcanada18.bazar
48	wildwinternature.bazar
62	coldmountainsanimals.bazar
66	rareanimalsofcanada18.bazar
78	rareanimalsofcanada18.bazar
88	rareanimalsofcanada18.bazar
109	rareanimalsofcanada18.bazar
126	rareanimalsofcanada18.bazar
91	rareanimalsofcanada18.bazar
94	rareanimalsofcanada18.bazar
103	rareanimalsofcanada18.bazar
105	rareanimalsofcanada18.bazar
39	rareanimalsofcanada18.bazar
63	rareanimalsofcanada18.bazar
73	rareanimalsofcanada18.bazar
77	rareanimalsofcanada18.bazar
71	rareanimalsofcanada18.bazar
112	rareanimalsofcanada18.bazar
115	rareanimalsofcanada18.bazar
123	rareanimalsofcanada18.bazar
44	rareanimalsofcanada18.bazar
51	wildwinternature.bazar
61	coldmountainsanimals.bazar
67	rareanimalsofcanada18.bazar
90	rareanimalsofcanada18.bazar
113	rareanimalsofcanada18.bazar
47	wildwinternature.bazar
49	wildwinternature.bazar
53	wildwinternature.bazar
69	rareanimalsofcanada18.bazar
130	rareanimalsofcanada18.bazar
55	coldmountainsanimals.bazar
98	rareanimalsofcanada18.bazar
99	rareanimalsofcanada18.bazar
106	rareanimalsofcanada18.bazar
40	rareanimalsofcanada18.bazar
96	rareanimalsofcanada18.bazar
100	rareanimalsofcanada18.bazar
108	rareanimalsofcanada18.bazar
72	rareanimalsofcanada18.bazar
74	rareanimalsofcanada18.bazar
80	rareanimalsofcanada18.bazar
84	rareanimalsofcanada18.bazar
56	coldmountainsanimals.bazar
57	coldmountainsanimals.bazar
60	coldmountainsanimals.bazar
65	rareanimalsofcanada18.bazar
131	rareanimalsofcanada18.bazar
46	rareanimalsofcanada18.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 32 https://api.opennicproject.org/geoip/?bare&ipv=4

description	flow	ioc
HTTP URL	32	https://api.opennicproject.org/geoip/?bare&ipv=4

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dl8.exe

description	pid	process	target process
PID 1144 wrote to memory of 1660	1144	dl8.exe	dl8.exe
PID 1144 wrote to memory of 1660	1144	dl8.exe	dl8.exe
PID 1144 wrote to memory of 1660	1144	dl8.exe	dl8.exe

C:\Users\Admin\AppData\Local\Temp\dl8.exe
"C:\Users\Admin\AppData\Local\Temp\dl8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1144

C:\Users\Admin\AppData\Local\Temp\dl8.exe
"C:\Users\Admin\AppData\Local\Temp\dl8.exe"
2⤵
PID:1660

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt
1⤵
PID:2036

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-2-0x000001DDDB3D0000-0x000001DDDB400000-memory.dmp

Filesize
192KB

Download
memory/1660-3-0x0000000000000000-mapping.dmp

Download
memory/1660-4-0x00000149AFF70000-0x00000149AFFA0000-memory.dmp

Filesize
192KB

Download