bazarbackdoor | 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4

Analysis

Target

rest.exe
Size

385KB
MD5

96764a0a62e66a147a3d4db0e59a6e34
SHA1

1364419833344aa6ab3f301059d43b9506197501
SHA256

9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
SHA512

71855c2e52c1b65697a6a0843373d2039dc50db4155415dd7c76707870cdf05b1a829145837f3ec10801bdfa79a5dc44afb83b87da78472533394006c8cf38e7

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1448-119-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/856-114-0x00000176DE810000-0x00000176DE837000-memory.dmp	BazarLoaderVar6
behavioral2/memory/4072-116-0x00000226E6980000-0x00000226E69A7000-memory.dmp	BazarLoaderVar6

Suspicious use of SetThreadContext 1 IoCs

Processes:

rest.exe

description pid process target process

PID 856 set thread context of 1448 856 rest.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rest.exe

pid process

856 rest.exe
856 rest.exe

description	pid	process	target process
PID 856 set thread context of 1448	856	rest.exe	svchost.exe

pid	process
856	rest.exe
856	rest.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rest.exe

description	pid	process	target process
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe
PID 856 wrote to memory of 1448	856	rest.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\rest.exe
C:\Users\Admin\AppData\Local\Temp\rest.exe {B930BEA5-FB23-4027-8ED5-C2D6E5DBABE3}
1⤵
PID:4072

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1594587808-2047097707-2163810515-1000\3e952d0ddb6a308dcd44a8ee28102e55_cc51e87d-bda7-4ef7-80cf-c431fec6b805

MD5
9e2f3eab69ef628ddbf2ef9a4241a69c

SHA1
11ed46222307a9a2682b111aebd265cdba2ccf1f

SHA256
7ae40d85e89d69d1ebed581177a770bedcd8821aca387e2d81b3ba816b541bc9

SHA512
08494d29c86aa86ff74c8b66f8322804c46130b4aa476fc277454c13e863c721e825b3d7e17ed440e03deb7821b27a997e88bcd5e790898539cfc31d2bf26fd7

Download Submit
memory/856-114-0x00000176DE810000-0x00000176DE837000-memory.dmp

Filesize
156KB

Download
memory/1448-119-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4072-116-0x00000226E6980000-0x00000226E69A7000-memory.dmp

Filesize
156KB

Download