bazarbackdoor | f82a3b15901da167017395e4158995302d01abbb9b7f259465eca8f66f42fb5c

General

Target

Documents_1462169789_1838254150.xls
Size

293KB
MD5

88da57baad066838d62daa0d17658eb0
SHA1

c9d47b8cf3debfe3f714c6eb497829a8ad2bd1fc
SHA256

f82a3b15901da167017395e4158995302d01abbb9b7f259465eca8f66f42fb5c
SHA512

561401ec068bea4d1907ca81f66fceeb21d93fbca3e1fc1fafd6c68bc7df465dbaf988e4bbd8f38a54dceade57f12428b9ec20c5e5a43c45e4a1c662dc4919d0

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 5 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	46	https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/4
HTTP URL	47	https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/4
HTTP URL	48	https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/4
HTTP URL	49	https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/2
HTTP URL	50	https://54.163.9.216/4be656f0db4e6d3caa7f96acd7029340/3

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	1252	3872	rundll32.exe	EXCEL.EXE

Blocklisted process makes network request 8 IoCs

Processes:

rundll32.execmd.exe

flow pid process

39 1232 rundll32.exe
41 1232 rundll32.exe
44 1232 rundll32.exe
46 3848 cmd.exe
47 3848 cmd.exe
48 3848 cmd.exe
49 3848 cmd.exe
50 3848 cmd.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1232 rundll32.exe
3180 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1232 set thread context of 3848 1232 rundll32.exe cmd.exe

flow	pid	process
39	1232	rundll32.exe
41	1232	rundll32.exe
44	1232	rundll32.exe
46	3848	cmd.exe
47	3848	cmd.exe
48	3848	cmd.exe
49	3848	cmd.exe
50	3848	cmd.exe

pid	process
1232	rundll32.exe
3180	rundll32.exe

description	pid	process	target process
PID 1232 set thread context of 3848	1232	rundll32.exe	cmd.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3872 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE
3872	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

EXCEL.EXErundll32.exerundll32.exe

description	pid	process	target process
PID 3872 wrote to memory of 1252	3872	EXCEL.EXE	rundll32.exe
PID 3872 wrote to memory of 1252	3872	EXCEL.EXE	rundll32.exe
PID 1252 wrote to memory of 1232	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 1232	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 1232	1252	rundll32.exe	rundll32.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe
PID 1232 wrote to memory of 3848	1232	rundll32.exe	cmd.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Documents_1462169789_1838254150.xls"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\SYSTEM32\rundll32.exe
rundll32 ..\bsdnbsej.dbw,PluginInit
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\rundll32.exe
rundll32 ..\bsdnbsej.dbw,PluginInit
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe
4⤵
- Blocklisted process makes network request
PID:3848

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\bsdnbsej.dbw,PluginInit 2012181265
1⤵
- Loads dropped DLL
PID:3180

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bsdnbsej.dbw
MD5
b80f4b91c29963df1cfd0d0a8a30e5c6

SHA1
09c6ae06e0c10672d91f6850118f41dc3dd66e72

SHA256
0a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9

SHA512
bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c

Download Submit
\Users\Admin\bsdnbsej.dbw
MD5
b80f4b91c29963df1cfd0d0a8a30e5c6

SHA1
09c6ae06e0c10672d91f6850118f41dc3dd66e72

SHA256
0a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9

SHA512
bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c

Download Submit
\Users\Admin\bsdnbsej.dbw
MD5
b80f4b91c29963df1cfd0d0a8a30e5c6

SHA1
09c6ae06e0c10672d91f6850118f41dc3dd66e72

SHA256
0a87bd3bb60320b21e493341b70519af4e46c2e969038d6d89b536cd37aa11d9

SHA512
bdcd3009ed3499055cf73ef1c4dd4bd0942c8b81c395cecf3c9da790e4867055059d10b05451476d7da98bbbf472c40536e7a09158b5de92c57a74e36396d10c

Download Submit
memory/1232-183-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/1232-181-0x0000000000000000-mapping.dmp

Download
memory/1252-179-0x0000000000000000-mapping.dmp

Download
memory/3180-185-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/3848-186-0x00000000012ABB2D-mapping.dmp

Download
memory/3848-187-0x0000000001290000-0x00000000012CF000-memory.dmp

Filesize
252KB

Download
memory/3872-122-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3872-123-0x000001AC17090000-0x000001AC18F85000-memory.dmp

Filesize
31.0MB

Download
memory/3872-114-0x00007FF6B47E0000-0x00007FF6B7D96000-memory.dmp

Filesize
53.7MB

Download
memory/3872-121-0x00007FF8E9260000-0x00007FF8EA34E000-memory.dmp

Filesize
16.9MB

Download
memory/3872-118-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3872-117-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3872-116-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download
memory/3872-115-0x00007FF8C8B00000-0x00007FF8C8B10000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads