Resubmissions
07-05-2021 04:03
210507-hng7crfr5s 1005-05-2021 08:07
210505-38jr98rkr2 1005-05-2021 05:50
210505-a1xkk2y93e 1005-05-2021 05:21
210505-ldgzm9rsns 1004-05-2021 21:54
210504-gxac1b6tga 10Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
04-05-2021 21:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Resource
win10v20210408
General
-
Target
SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
-
Size
564KB
-
MD5
43de3367faeffa04f28ad1e3e1f154eb
-
SHA1
f75d1719bb9a2f6a628a521a827bfbf26e44b9a2
-
SHA256
93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954
-
SHA512
53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2004-59-0x0000000000350000-0x000000000038E000-memory.dmp BazarLoaderVar6 behavioral1/memory/1088-61-0x0000000000360000-0x000000000039E000-memory.dmp BazarLoaderVar6 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 41 wyofygre.bazar 51 wyfyekom.bazar 57 viegwyvi.bazar 99 evusygre.bazar 101 ewsawyyw.bazar 103 viivygyw.bazar 113 meteavom.bazar 115 eregwyom.bazar 24 ekifwyvi.bazar 32 reyswyyw.bazar 96 erivekvi.bazar 116 wausekyw.bazar 80 evteekom.bazar 81 udurekre.bazar 87 yzivavvi.bazar 90 toinygom.bazar 91 toinygom.bazar 31 vixaekvi.bazar 60 avinwyyw.bazar 63 viarekvi.bazar 111 onipygom.bazar 55 evtewyom.bazar 56 evofekom.bazar 64 waifwyyw.bazar 72 erivekom.bazar 106 ewarwyre.bazar 26 yzxawyom.bazar 36 ewofygvi.bazar 49 ersawyvi.bazar 38 ywsawyom.bazar 44 onipekre.bazar 43 ygipygyw.bazar 66 ygsaavre.bazar 82 toipygyw.bazar 70 evyvavvi.bazar 92 toinekvi.bazar 94 meenwyyw.bazar 95 evifavvi.bazar 21 vacationinsydney2021.bazar 25 soegygom.bazar 28 viarygyw.bazar 71 vialekre.bazar 74 wyinekvi.bazar 48 omatygre.bazar 59 yginygvi.bazar 62 ygozygvi.bazar 86 ewofygom.bazar 88 reipygvi.bazar 37 onenwyre.bazar 58 yrtewyvi.bazar 77 soyvwyyw.bazar 89 wyatavom.bazar 98 evusygre.bazar 102 viivygyw.bazar 114 evfyygre.bazar 52 omivekom.bazar 53 ekuswyvi.bazar 84 toenekvi.bazar 112 meteavom.bazar 42 ywsawyre.bazar 76 ewatekom.bazar 85 toenekvi.bazar 45 reatygyw.bazar 47 ygifavom.bazar -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 16 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 -
Processes:
SecuriteInfo.com.ArtemisTrojan.25081.13158.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 SecuriteInfo.com.ArtemisTrojan.25081.13158.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe"1⤵
- Modifies system certificate store
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe 19839367371⤵