bazarbackdoor | a8f0170ad5e5cdb0533ea888b0dbc97bc4bd23c9a0531e5e4b7cd1f05fa0875d

Target

krerb.exe
Size

199KB
MD5

1c74d51a1d7177bf9b23f6a567adc047
SHA1

ecb47205a047b173c4ecaf4f476204ef7154a7ad
SHA256

a8f0170ad5e5cdb0533ea888b0dbc97bc4bd23c9a0531e5e4b7cd1f05fa0875d
SHA512

0f2320ab1c60536cad706564a4ea739f2bac1b7cdd538ac1672542c9c02563292d95c2789845629ce696eca356876859a3efd57b305432d4d833fffd1b4cbef4

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/604-65-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3
behavioral1/memory/604-66-0x000000014002EF24-mapping.dmp	BazarBackdoorVar3
behavioral1/memory/604-67-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1104-60-0x0000000000060000-0x0000000000087000-memory.dmp	BazarLoaderVar6
behavioral1/memory/292-62-0x00000000000D0000-0x00000000000F7000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 13 IoCs

Processes:

cmd.exe

flow	pid	process
13	604	cmd.exe
15	604	cmd.exe
16	604	cmd.exe
18	604	cmd.exe
19	604	cmd.exe
21	604	cmd.exe
23	604	cmd.exe
25	604	cmd.exe
26	604	cmd.exe
27	604	cmd.exe
28	604	cmd.exe
29	604	cmd.exe
30	604	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

krerb.exe

description pid process target process

PID 1104 set thread context of 604 1104 krerb.exe cmd.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

krerb.exe

pid process

1104 krerb.exe

description	pid	process	target process
PID 1104 set thread context of 604	1104	krerb.exe	cmd.exe

pid	process
1104	krerb.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

krerb.exe

description	pid	process	target process
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe
PID 1104 wrote to memory of 604	1104	krerb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\krerb.exe
"C:\Users\Admin\AppData\Local\Temp\krerb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\cmd.exe
  "cmd"
  2⤵
  - Blocklisted process makes network request
  PID:604

C:\Users\Admin\AppData\Local\Temp\krerb.exe
C:\Users\Admin\AppData\Local\Temp\krerb.exe {ED655BE5-95CF-422D-8C7B-FB8D1DC71A9F}
1⤵
PID:292

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
db9f737d3d0d8c27f3918e309d5350e3

SHA1
1461706e128e91544f00c8185a10d9889f467b87

SHA256
3a4b207ac0f43c6bf9d32b2521f9ad06280db13e4d110dcfc7a03a5cc6c4c681

SHA512
b613976117f4a6fa51f7e63d55b540faf55ea43a9c904b5427dd64fe5af65bcde79cd30184142e9a889ba93fa13383e1a7ca98bd566a3ec9baf7f75c63e53513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2513283230-931923277-594887482-1000\3e952d0ddb6a308dcd44a8ee28102e55_17ebba21-ade9-4848-b865-5b9359ee593d

MD5
9e2f3eab69ef628ddbf2ef9a4241a69c

SHA1
11ed46222307a9a2682b111aebd265cdba2ccf1f

SHA256
7ae40d85e89d69d1ebed581177a770bedcd8821aca387e2d81b3ba816b541bc9

SHA512
08494d29c86aa86ff74c8b66f8322804c46130b4aa476fc277454c13e863c721e825b3d7e17ed440e03deb7821b27a997e88bcd5e790898539cfc31d2bf26fd7

Download Submit
memory/292-62-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/604-65-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/604-66-0x000000014002EF24-mapping.dmp

Download
memory/604-67-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1104-60-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download