bazarbackdoor | 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4 | Triage

Analysis

max time kernel
140s
max time network
138s
platform
windows10_x64
resource
win10v20210408
submitted
05-05-2021 22:21

Sharing

Report Analysis Logs

General

Target

rest.exe
Size

385KB
MD5

96764a0a62e66a147a3d4db0e59a6e34
SHA1

1364419833344aa6ab3f301059d43b9506197501
SHA256

9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
SHA512

71855c2e52c1b65697a6a0843373d2039dc50db4155415dd7c76707870cdf05b1a829145837f3ec10801bdfa79a5dc44afb83b87da78472533394006c8cf38e7

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 1 IoCs

resource	yara_rule
behavioral2/memory/1448-119-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral2/memory/856-114-0x00000176DE810000-0x00000176DE837000-memory.dmp	BazarLoaderVar6
behavioral2/memory/4072-116-0x00000226E6980000-0x00000226E69A7000-memory.dmp	BazarLoaderVar6

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 1448	856	rest.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
856	rest.exe
856	rest.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79
PID 856 wrote to memory of 1448	856	rest.exe	79

C:\Users\Admin\AppData\Local\Temp\rest.exe
"C:\Users\Admin\AppData\Local\Temp\rest.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SYSTEM32\svchost.exe
  "svchost"
  2⤵
  PID:1448

C:\Users\Admin\AppData\Local\Temp\rest.exe
C:\Users\Admin\AppData\Local\Temp\rest.exe {B930BEA5-FB23-4027-8ED5-C2D6E5DBABE3}
1⤵
PID:4072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-114-0x00000176DE810000-0x00000176DE837000-memory.dmp

Filesize
156KB

Download
memory/1448-119-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/4072-116-0x00000226E6980000-0x00000226E69A7000-memory.dmp

Filesize
156KB

Download