bazarbackdoor | f82a3b15901da167017395e4158995302d01abbb9b7f259465eca8f66f42fb5c

General

Target

88da57ba_by_Libranalysis.xls
Size

293KB
MD5

88da57baad066838d62daa0d17658eb0
SHA1

c9d47b8cf3debfe3f714c6eb497829a8ad2bd1fc
SHA256

f82a3b15901da167017395e4158995302d01abbb9b7f259465eca8f66f42fb5c
SHA512

561401ec068bea4d1907ca81f66fceeb21d93fbca3e1fc1fafd6c68bc7df465dbaf988e4bbd8f38a54dceade57f12428b9ec20c5e5a43c45e4a1c662dc4919d0

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 5 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	38	https://54.163.9.216/93b49dcd323cbe830a106929358e2763/4
HTTP URL	39	https://54.163.9.216/93b49dcd323cbe830a106929358e2763/4
HTTP URL	40	https://54.163.9.216/93b49dcd323cbe830a106929358e2763/4
HTTP URL	41	https://54.163.9.216/93b49dcd323cbe830a106929358e2763/2
HTTP URL	42	https://54.163.9.216/93b49dcd323cbe830a106929358e2763/3

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1344	1032	rundll32.exe	EXCEL.EXE

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.execmd.exe

flow pid process

33 3008 rundll32.exe
36 3008 rundll32.exe
37 3008 rundll32.exe
38 3964 cmd.exe
39 3964 cmd.exe
40 3964 cmd.exe
41 3964 cmd.exe
42 3964 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3008 rundll32.exe
3868 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3008 set thread context of 3964 3008 rundll32.exe cmd.exe

flow	pid	process
33	3008	rundll32.exe
36	3008	rundll32.exe
37	3008	rundll32.exe
38	3964	cmd.exe
39	3964	cmd.exe
40	3964	cmd.exe
41	3964	cmd.exe
42	3964	cmd.exe

pid	process
3008	rundll32.exe
3868	rundll32.exe

description	pid	process	target process
PID 3008 set thread context of 3964	3008	rundll32.exe	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1032 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE
1032	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 1032 wrote to memory of 1344	1032	EXCEL.EXE	rundll32.exe
PID 1032 wrote to memory of 1344	1032	EXCEL.EXE	rundll32.exe
PID 1344 wrote to memory of 3008	1344	rundll32.exe	rundll32.exe
PID 1344 wrote to memory of 3008	1344	rundll32.exe	rundll32.exe
PID 1344 wrote to memory of 3008	1344	rundll32.exe	rundll32.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe
PID 3008 wrote to memory of 3964	3008	rundll32.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\88da57ba_by_Libranalysis.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\bsdnbsej.dbw,PluginInit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1344

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\bsdnbsej.dbw,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
4⤵
- Blocklisted process makes network request
PID:3964

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\bsdnbsej.dbw,PluginInit 1420578116
1⤵
- Loads dropped DLL
PID:3868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bsdnbsej.dbw
MD5
b80f4b91c29963df1cfd0d0a8a30e5c6

SHA1
09c6ae06e0c10672d91f6850118f41dc3dd66e72

SHA256
0a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9

SHA512
bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c

Download Submit
\Users\Admin\bsdnbsej.dbw
MD5
b80f4b91c29963df1cfd0d0a8a30e5c6

SHA1
09c6ae06e0c10672d91f6850118f41dc3dd66e72

SHA256
0a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9

SHA512
bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c

Download Submit
\Users\Admin\bsdnbsej.dbw
MD5
b80f4b91c29963df1cfd0d0a8a30e5c6

SHA1
09c6ae06e0c10672d91f6850118f41dc3dd66e72

SHA256
0a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9

SHA512
bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c

Download Submit
memory/1032-115-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/1032-116-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/1032-117-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/1032-118-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/1032-121-0x00007FFC3AEC0000-0x00007FFC3AED0000-memory.dmp

Filesize
64KB

Download
memory/1032-122-0x00007FFC5BD40000-0x00007FFC5CE2E000-memory.dmp

Filesize
16.9MB

Download
memory/1032-123-0x00007FFC59E40000-0x00007FFC5BD35000-memory.dmp

Filesize
31.0MB

Download
memory/1032-114-0x00007FF6EC960000-0x00007FF6EFF16000-memory.dmp

Filesize
53.7MB

Download
memory/1344-179-0x0000000000000000-mapping.dmp

Download
memory/3008-183-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3008-181-0x0000000000000000-mapping.dmp

Download
memory/3868-187-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/3964-185-0x00000000010CBB2D-mapping.dmp

Download
memory/3964-186-0x00000000010B0000-0x00000000010EF000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads