Overview
overview
10Static
static
814118.biy.dll
windows7_x64
814118.biy.dll
windows10_x64
814118.xlsb
windows7_x64
114118.xlsb
windows10_x64
1B24C.tmp.dll
windows7_x64
10B24C.tmp.dll
windows10_x64
10NZM32A4.exe
windows7_x64
10NZM32A4.exe
windows10_x64
10subscripti...0.xlsb
windows7_x64
10subscripti...0.xlsb
windows10_x64
10thqsg.exe
windows7_x64
10thqsg.exe
windows10_x64
10General
-
Target
2021-04-07-BazaLoader-malware-and-artifacts.zip
-
Size
558KB
-
Sample
210408-5wn1eg76y6
-
MD5
79504ee399da4dcd08e91404878c13ec
-
SHA1
4b3bf6815944f74a82a183c4ce21eebac1a250da
-
SHA256
8287e916655be8dabc37550610daa219f5d5351eb8521da64ee9a22f9af7b5e4
-
SHA512
c88b0b7ca1bfe2a9cbb107dfced15e1ddf78d40c24408010fb8b91991ed15df6a6e7d750fe1ed2460eaaaa21f796dd5cc3123e7252eaedffeb4afdf776439068
Behavioral task
behavioral1
Sample
14118.biy.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
14118.biy.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
14118.xlsb
Resource
win7v20201028
Behavioral task
behavioral4
Sample
14118.xlsb
Resource
win10v20201028
Behavioral task
behavioral5
Sample
B24C.tmp.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
B24C.tmp.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
NZM32A4.exe
Resource
win7v20201028
Behavioral task
behavioral8
Sample
NZM32A4.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
subscription_1617817060.xlsb
Resource
win7v20201028
Behavioral task
behavioral10
Sample
subscription_1617817060.xlsb
Resource
win10v20201028
Behavioral task
behavioral11
Sample
thqsg.exe
Resource
win7v20201028
Behavioral task
behavioral12
Sample
thqsg.exe
Resource
win10v20201028
Malware Config
Extracted
cobaltstrike
windows/download_exec
http://smollpush.com:443/jquery-3.3.2.slim.min.js
Extracted
cobaltstrike
http://smollpush.com:443/jquery-3.3.1.min.js
-
access_type
512
-
beacon_type
2048
-
host
smollpush.com,/jquery-3.3.1.min.js
-
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
-
http_method1
GET
-
http_method2
POST
-
jitter
9472
-
polling_time
45000
-
port_number
443
-
sc_process32
%windir%\syswow64\dllhost.exe
-
sc_process64
%windir%\sysnative\dllhost.exe
-
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbe+02Ud/juhqbqhjsncHYLOR6MZNiBCycXGj2BZDxOc26CglUSVgOZlGLzO43QJBZyUCnY7D4XuJuFBb9k4dg9DuyZNrY8AigHPYgEZ8KtbPzEryuZbk+BuYpbR/YYjhKW+929s2L6YWk3jppq4/7G3lBvnfZlYXUEKZQQk8SWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
unknown1
4.234810624e+09
-
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
-
uri
/jquery-3.3.2.min.js
-
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
Extracted
Targets
-
-
Target
14118.biy
-
Size
42KB
-
MD5
64ee7574265691eb7636af9de468ce11
-
SHA1
66486c4d36d82d0c2eaefe4d6cf170224b1fb1af
-
SHA256
df16b3c76350f340988759cc21a78a7cf16831f08e95eb7592b86942859f863a
-
SHA512
6a2d2b1c19bfe05af7457d5faf61f1bcaebed1955f3210b62c187a51242f4fd565b479be38e36facbda9ef45d3f80d41e491e550bef027ad33d33e851970de70
Score8/10-
Blocklisted process makes network request
-
-
-
Target
14118.xlsb
-
Size
56KB
-
MD5
317dfc2b5b8ced1ca8f228b251081eaf
-
SHA1
0d0c90c11e9413e38d1b7af7632022ca32af58dd
-
SHA256
5d75b97d969ff3eb4459e9bf5d21d650667e9094f527744c7384241d77a0281e
-
SHA512
be7a6bc219a6523c70b7701f269e933720f3cc7fef8a277cc03d781d56f660a97c950f1fbcc3f26270fae597128b3847233d8608964ba4789e3be8163401883b
Score1/10 -
-
-
Target
B24C.tmp.dll
-
Size
258KB
-
MD5
6f1ba217f598f69832d4bc961f9d10f9
-
SHA1
488ca142f1bbe9fdaed78af7632ee8a299dcb3ff
-
SHA256
7a020c1642d0e16a664bbab7234d0398616f4e90188cc2fba6e040b52b4e299b
-
SHA512
d918188bd48b30935de8aa1f2b1a0325bf514602e0a03a0193332eb8a2a3426b0f93183d861e1f6b8c02e98cf4f28ef741de51e7c722adcd654c8af8b3e2d7af
Score10/10-
Blocklisted process makes network request
-
-
-
Target
NZM32A4.exe
-
Size
98KB
-
MD5
c41188e4415567a1465712a6c85331a6
-
SHA1
2cbf699017e281693a517ff3c9e78f34e4126d6c
-
SHA256
efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
-
SHA512
f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f
Score10/10-
Bazar/Team9 Loader payload
-
-
-
Target
subscription_1617817060.xlsb
-
Size
249KB
-
MD5
e1edead6d69e4c33cf44904ef2bd0b0f
-
SHA1
e357ddf5ece78bac5666462c264a736230ef239f
-
SHA256
c76bb9443baff9e799b3b1cd7c4bd18759ff17acf50f2c3e6f9970caf3015a8f
-
SHA512
806d031cb21545d39cf32818467c924471d6f37328eff8ecd990253ea7bef2659bd723098ef918af77c5f91715ca5240398f6f09f25e8d57ed093bfb7d06529f
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Blocklisted process makes network request
-
Loads dropped DLL
-
-
-
Target
thqsg.exe
-
Size
98KB
-
MD5
c41188e4415567a1465712a6c85331a6
-
SHA1
2cbf699017e281693a517ff3c9e78f34e4126d6c
-
SHA256
efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
-
SHA512
f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f
Score10/10-
Bazar/Team9 Loader payload
-