bazarbackdoor | 93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954

General

Target

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Size

564KB
MD5

43de3367faeffa04f28ad1e3e1f154eb
SHA1

f75d1719bb9a2f6a628a521a827bfbf26e44b9a2
SHA256

93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954
SHA512

53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/612-63-0x0000000049F24474-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/612-62-0x0000000049F00000-0x0000000049F51000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/612-64-0x0000000049F00000-0x0000000049F51000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/360-59-0x0000000001BB0000-0x0000000001BEE000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1296-61-0x0000000000250000-0x000000000028E000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 8 IoCs

Processes:

cmd.exe

flow pid process

11 612 cmd.exe
12 612 cmd.exe
13 612 cmd.exe
14 612 cmd.exe
15 612 cmd.exe
16 612 cmd.exe
18 612 cmd.exe
19 612 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

description pid process target process

PID 360 set thread context of 612 360 SecuriteInfo.com.ArtemisTrojan.25081.13158.exe cmd.exe

flow	pid	process
11	612	cmd.exe
12	612	cmd.exe
13	612	cmd.exe
14	612	cmd.exe
15	612	cmd.exe
16	612	cmd.exe
18	612	cmd.exe
19	612	cmd.exe

description	pid	process	target process
PID 360 set thread context of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

pid	process
360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

description	pid	process	target process
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 360 wrote to memory of 612	360	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
PID:612

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe 1746112695
1⤵
PID:1296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
e4b17530205455b24eb07587737432a1

SHA1
4946810776f1a02fe417d3de4cdef0e34185b309

SHA256
5facd66e402b0e12950862b478cbc54bb2b1b09418742ccce18bee6112040ca9

SHA512
7ec47d314f43e1813dfd537e9ed05f1258f03f6ead0cba4c5d8da85b70114e1d46cd1c67d6512804ed739198278cea369c687a858612e84312d3326953caacf8

Download Submit
memory/360-59-0x0000000001BB0000-0x0000000001BEE000-memory.dmp

Filesize
248KB

Download
memory/360-60-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/612-63-0x0000000049F24474-mapping.dmp

Download
memory/612-62-0x0000000049F00000-0x0000000049F51000-memory.dmp

Filesize
324KB

Download
memory/612-64-0x0000000049F00000-0x0000000049F51000-memory.dmp

Filesize
324KB

Download
memory/1296-61-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads