bazarbackdoor | e039822594278b0b37f3ceaa936cecc416197925407c13389b1d01b8be5a741b | Triage

Submit
Reports

Overview

overview

Static

static

8

bakjr.exe

windows7_x64

1

bakjr.exe

windows10_x64

subscripti...5.xlsb

windows7_x64

subscripti...5.xlsb

windows10_x64

Sharing

General

Target

2021-04-14-BazaLoader-spreadsheet-and-EXE.zip
Size

413KB
Sample

210415-efgkmy9912
MD5

8ab1d5ae46037c804366d0b5cd3d6b2f
SHA1

9ffb63957a63a68fccafb70e37eb9c023b55f919
SHA256

e039822594278b0b37f3ceaa936cecc416197925407c13389b1d01b8be5a741b
SHA512

78eb38a45c3395803794b8bb89f1dbd76396820c7fb5b7f9c72adceee85a32dd100c803160394973b529a99e34ba903c7e9a02c8bbc4ea5b24ade776095b5425

Score

10^/10

bazarbackdoor bazarloader nloader backdoor dropper loader macro xlm

Static task

static1

Behavioral task

behavioral1

Sample

bakjr.exe

Resource

win7v20210410

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

bakjr.exe

Resource

win10v20210408

bazarbackdoor bazarloader backdoor dropper loader

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral3

Sample

subscription_1618420095.xlsb

Resource

win7v20210410

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral4

Sample

subscription_1618420095.xlsb

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Targets

- Target
  
  bakjr.exe
- Size
  
  248KB
- MD5
  
  bb5ef523f0bf243790b6c67dd77ee986
- SHA1
  
  cbfe325c2101c5f76a3675b23b459eeb641eecb6
- SHA256
  
  c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
- SHA512
  
  eb9ffe004187d6174cf0cc2f85184e5a524546e1bc7139c1f16147049eadbd92f94818ea618370450779753c87d8349efe255244eef2450e16f9446799cdeef2
Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazar/Team9 Backdoor payload
- Bazar/Team9 Loader payload
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  subscription_1618420095.xlsb
- Size
  
  254KB
- MD5
  
  dc37192b5c4c8c4f94c73c18ce5e3829
- SHA1
  
  0aa6bb11a11dade2269d90b2781ed0a517362012
- SHA256
  
  db53f42e13d2685bd34dbc5c79fad637c9344e72e210ca05504420874e98c2a6
- SHA512
  
  3e8b179d8521fb33a46eeeca74bbda7a4e8a32f47b6195b17d62664dd2e31716261a61a495857ed08dbbc001a9eab8adec7133921179eb3df66c53e18c586d9a
Score

10^/10

nloader loader
- Nloader
  Simple loader that includes the keyword 'campo' in the URL used to download other families.
  loader nloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Nloader Payload
- Blocklisted process makes network request
- Loads dropped DLL
behavioral3 behavioral4

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

bazarbackdoorbazarloaderbackdoordropperloader

behavioral3

behavioral4

© 2018-2024

Terms | Privacy