bazarbackdoor | 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4 | Triage

Analysis

max time kernel
142s
max time network
141s
platform
windows7_x64
resource
win7v20210408
submitted
05-05-2021 22:21

Sharing

Report Analysis Logs

General

Target

rest.exe
Size

385KB
MD5

96764a0a62e66a147a3d4db0e59a6e34
SHA1

1364419833344aa6ab3f301059d43b9506197501
SHA256

9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
SHA512

71855c2e52c1b65697a6a0843373d2039dc50db4155415dd7c76707870cdf05b1a829145837f3ec10801bdfa79a5dc44afb83b87da78472533394006c8cf38e7

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 1 IoCs

resource	yara_rule
behavioral1/memory/1640-66-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral1/memory/1920-60-0x0000000000120000-0x0000000000147000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1812-63-0x0000000000240000-0x0000000000267000-memory.dmp	BazarLoaderVar6

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 1640	1920	rest.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1920	rest.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31
PID 1920 wrote to memory of 1640	1920	rest.exe	31

C:\Users\Admin\AppData\Local\Temp\rest.exe
"C:\Users\Admin\AppData\Local\Temp\rest.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\svchost.exe
  "svchost"
  2⤵
  PID:1640

C:\Users\Admin\AppData\Local\Temp\rest.exe
C:\Users\Admin\AppData\Local\Temp\rest.exe {3373D0E6-37B7-47CE-86F2-46C46558DE02}
1⤵
PID:1812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1640-66-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1812-63-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/1920-60-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/1920-62-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

Filesize
8KB

Download