bazarbackdoor | cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b

General

Target

0c1db79e9943a2e3b76d5f7b808c13d3.exe
Size

662KB
MD5

0c1db79e9943a2e3b76d5f7b808c13d3
SHA1

570ae5bd55275cbca4ecbcdcd76249a80fb9902e
SHA256

cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
SHA512

11ce4c66a7bc27d0d070b589c3c08f325b6e9438efe9c95f89901a28f83a5afe43d9fe6863e52a0012d730365604e20f884b9f916a995cf18121a8df18854042

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2764-116-0x00007FF692140000-0x00007FF692191000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/2764-117-0x00007FF6921641F4-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/2764-118-0x00007FF692140000-0x00007FF692191000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/620-114-0x0000025B2D440000-0x0000025B2D477000-memory.dmp	BazarLoaderVar6
behavioral2/memory/2300-119-0x000001B2FFB70000-0x000001B2FFBA7000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 6 IoCs

Processes:

cmd.exe

flow pid process

19 2764 cmd.exe
27 2764 cmd.exe
29 2764 cmd.exe
30 2764 cmd.exe
31 2764 cmd.exe
32 2764 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

0c1db79e9943a2e3b76d5f7b808c13d3.exe

description pid process target process

PID 620 set thread context of 2764 620 0c1db79e9943a2e3b76d5f7b808c13d3.exe cmd.exe

flow	pid	process
19	2764	cmd.exe
27	2764	cmd.exe
29	2764	cmd.exe
30	2764	cmd.exe
31	2764	cmd.exe
32	2764	cmd.exe

description	pid	process	target process
PID 620 set thread context of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

0c1db79e9943a2e3b76d5f7b808c13d3.exe

pid	process
620	0c1db79e9943a2e3b76d5f7b808c13d3.exe
620	0c1db79e9943a2e3b76d5f7b808c13d3.exe
620	0c1db79e9943a2e3b76d5f7b808c13d3.exe
620	0c1db79e9943a2e3b76d5f7b808c13d3.exe
620	0c1db79e9943a2e3b76d5f7b808c13d3.exe
620	0c1db79e9943a2e3b76d5f7b808c13d3.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0c1db79e9943a2e3b76d5f7b808c13d3.exe

description	pid	process	target process
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe
PID 620 wrote to memory of 2764	620	0c1db79e9943a2e3b76d5f7b808c13d3.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0c1db79e9943a2e3b76d5f7b808c13d3.exe
"C:\Users\Admin\AppData\Local\Temp\0c1db79e9943a2e3b76d5f7b808c13d3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe
2⤵
- Blocklisted process makes network request
PID:2764

C:\Users\Admin\AppData\Local\Temp\0c1db79e9943a2e3b76d5f7b808c13d3.exe
C:\Users\Admin\AppData\Local\Temp\0c1db79e9943a2e3b76d5f7b808c13d3.exe 2652823143
1⤵
PID:2300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-114-0x0000025B2D440000-0x0000025B2D477000-memory.dmp

Filesize
220KB

Download
memory/2300-119-0x000001B2FFB70000-0x000001B2FFBA7000-memory.dmp

Filesize
220KB

Download
memory/2764-116-0x00007FF692140000-0x00007FF692191000-memory.dmp

Filesize
324KB

Download
memory/2764-117-0x00007FF6921641F4-mapping.dmp

Download
memory/2764-118-0x00007FF692140000-0x00007FF692191000-memory.dmp

Filesize
324KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads