bazarbackdoor | c4ccfce36f30f5461c6d3a0eaf66c2fb5c520dfeafbbfe40805f0dbe638bf8e6

General

Target

c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
Size

414KB
MD5

c4539adb4566822ab8dfe45aa3d5ca63
SHA1

921d255b8ff71329451315dbf4ce41729a33465e
SHA256

665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
SHA512

4be038710a63341c865183e607a597eb8065779f03d0d4471da28aab4bc4735d6cecb47f11d0da19e5bdf1692e923f8c6e15ac0ec85819ca40aadfaf4ece9987

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2044-118-0x00007FF7DC690000-0x00007FF7DC6E1000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/2044-119-0x00007FF7DC6B4554-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/2044-120-0x00007FF7DC690000-0x00007FF7DC6E1000-memory.dmp	BazarBackdoorVar4

Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

20 2044 cmd.exe
23 2044 cmd.exe
24 2044 cmd.exe
25 2044 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

c4539adb4566822ab8dfe45aa3d5ca63.bin.exe

description pid process target process

PID 640 set thread context of 2044 640 c4539adb4566822ab8dfe45aa3d5ca63.bin.exe cmd.exe

flow	pid	process
20	2044	cmd.exe
23	2044	cmd.exe
24	2044	cmd.exe
25	2044	cmd.exe

description	pid	process	target process
PID 640 set thread context of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

c4539adb4566822ab8dfe45aa3d5ca63.bin.exe

pid	process
640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c4539adb4566822ab8dfe45aa3d5ca63.bin.exe

description	pid	process	target process
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe
PID 640 wrote to memory of 2044	640	c4539adb4566822ab8dfe45aa3d5ca63.bin.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
"C:\Users\Admin\AppData\Local\Temp\c4539adb4566822ab8dfe45aa3d5ca63.bin.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
PID:2044

C:\Users\Admin\AppData\Local\Temp\c4539adb4566822ab8dfe45aa3d5ca63.bin.exe
C:\Users\Admin\AppData\Local\Temp\c4539adb4566822ab8dfe45aa3d5ca63.bin.exe 1954597929
1⤵
PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-114-0x00000286474B0000-0x00000286474EE000-memory.dmp

Filesize
248KB

Download
memory/2044-118-0x00007FF7DC690000-0x00007FF7DC6E1000-memory.dmp

Filesize
324KB

Download
memory/2044-119-0x00007FF7DC6B4554-mapping.dmp

Download
memory/2044-120-0x00007FF7DC690000-0x00007FF7DC6E1000-memory.dmp

Filesize
324KB

Download
memory/3488-116-0x0000017911730000-0x000001791176E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads