bazarbackdoor | 93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954

General

Target

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Size

564KB
MD5

43de3367faeffa04f28ad1e3e1f154eb
SHA1

f75d1719bb9a2f6a628a521a827bfbf26e44b9a2
SHA256

93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954
SHA512

53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1092-64-0x000000004A844474-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/1092-63-0x000000004A820000-0x000000004A871000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/1092-65-0x000000004A820000-0x000000004A871000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/736-60-0x0000000001BB0000-0x0000000001BEE000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1200-62-0x0000000001BC0000-0x0000000001BFE000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 11 IoCs

Processes:

cmd.exe

flow	pid	process
12	1092	cmd.exe
13	1092	cmd.exe
14	1092	cmd.exe
15	1092	cmd.exe
16	1092	cmd.exe
17	1092	cmd.exe
19	1092	cmd.exe
20	1092	cmd.exe
27	1092	cmd.exe
29	1092	cmd.exe
30	1092	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

description pid process target process

PID 736 set thread context of 1092 736 SecuriteInfo.com.ArtemisTrojan.25081.13158.exe cmd.exe

description	pid	process	target process
PID 736 set thread context of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

pid	process
736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

description	pid	process	target process
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe
PID 736 wrote to memory of 1092	736	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
PID:1092

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe 3987518451
1⤵
PID:1200

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
dbadd02ea16b4521fbff34d35514abcb

SHA1
97a6f2a3495486a7e1de605be806a8e5024e8ee0

SHA256
679e846d9e08359ffbfcf5e1c6e35744fbe200bb0c8ddb6c4b472bbf315a3064

SHA512
76816280b66e20b3d816db2443d465ee70f4e2b9b83e6560b7b0fac99186d6d6a352801294e413bb6741746269b5a2f5c35dcca1d08584e3dd8f54522ce7639d

Download Submit
memory/736-60-0x0000000001BB0000-0x0000000001BEE000-memory.dmp

Filesize
248KB

Download
memory/736-61-0x000007FEFBEA1000-0x000007FEFBEA3000-memory.dmp

Filesize
8KB

Download
memory/1092-64-0x000000004A844474-mapping.dmp

Download
memory/1092-63-0x000000004A820000-0x000000004A871000-memory.dmp

Filesize
324KB

Download
memory/1092-65-0x000000004A820000-0x000000004A871000-memory.dmp

Filesize
324KB

Download
memory/1200-62-0x0000000001BC0000-0x0000000001BFE000-memory.dmp

Filesize
248KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads