bazarbackdoor | a8f0170ad5e5cdb0533ea888b0dbc97bc4bd23c9a0531e5e4b7cd1f05fa0875d

Target

krerb.exe
Size

199KB
MD5

1c74d51a1d7177bf9b23f6a567adc047
SHA1

ecb47205a047b173c4ecaf4f476204ef7154a7ad
SHA256

a8f0170ad5e5cdb0533ea888b0dbc97bc4bd23c9a0531e5e4b7cd1f05fa0875d
SHA512

0f2320ab1c60536cad706564a4ea739f2bac1b7cdd538ac1672542c9c02563292d95c2789845629ce696eca356876859a3efd57b305432d4d833fffd1b4cbef4

Score

10^/10

Malware Config

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

resource	yara_rule
behavioral1/memory/604-65-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3
behavioral1/memory/604-66-0x000000014002EF24-mapping.dmp	BazarBackdoorVar3
behavioral1/memory/604-67-0x0000000140000000-0x0000000140056000-memory.dmp	BazarBackdoorVar3

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral1/memory/1104-60-0x0000000000060000-0x0000000000087000-memory.dmp	BazarLoaderVar6
behavioral1/memory/292-62-0x00000000000D0000-0x00000000000F7000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 13 IoCs

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1104 set thread context of 604	1104	krerb.exe	31

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1104	krerb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31
PID 1104 wrote to memory of 604	1104	krerb.exe	31

C:\Users\Admin\AppData\Local\Temp\krerb.exe
"C:\Users\Admin\AppData\Local\Temp\krerb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\cmd.exe
  "cmd"
  2⤵
  - Blocklisted process makes network request
  PID:604

C:\Users\Admin\AppData\Local\Temp\krerb.exe
C:\Users\Admin\AppData\Local\Temp\krerb.exe {ED655BE5-95CF-422D-8C7B-FB8D1DC71A9F}
1⤵
PID:292

memory/292-62-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/604-65-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/604-67-0x0000000140000000-0x0000000140056000-memory.dmp

Filesize
344KB

Download
memory/1104-60-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download