Overview

overview

10

Static

static

baza-or-cs.dll

windows7_x64

10

baza-or-cs.dll

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    16-07-2021 16:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    baza-or-cs.dll

  • Size

    153KB

  • MD5

    ea3612919bf05b66e9a608bee742a422

  • SHA1

    032747a1658fea7f8d624c11ae965f3218f96909

  • SHA256

    fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb

  • SHA512

    f2f049ef68cd5c06511dab2ef82a67e0aa44ac583ec5e84ec7cba1627f47c31a748ad58e1b065401b162a4266f753ac842efceef7cbe33efb0a9d8399365e2c7

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\baza-or-cs.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      2⤵
        PID:996
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\baza-or-cs.dll,#1 3004615058
      1⤵
        PID:380

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        MD5

        2902de11e30dcc620b184e3bb0f0c1cb

        SHA1

        5d11d14a2558801a2688dc2d6dfad39ac294f222

        SHA256

        e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

        SHA512

        efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        cf2bfd48781236d6efdedf65f776f0a7

        SHA1

        1afc5c5f53796a611a1ca53b0b9498c2aa2e27ae

        SHA256

        2d0b97ea26dbc9a5cb24e3fca19ee1faaa1c419f914a05103d578e7e23d9813c

        SHA512

        2d7a6e19566a53a6f0b45f567968bc8610bf8823b58068f53d5528b474f64d1ffded2ceeee4f2f05ed31a2b445b83cbfcf557c265813b9439a701c91ba58d0fc

        Download Submit
      • memory/380-65-0x0000000000220000-0x00000000002FC000-memory.dmp
        Filesize

        880KB

        Download
      • memory/996-60-0x00000000FF670000-0x00000000FF6C1000-memory.dmp
        Filesize

        324KB

        Download
      • memory/996-61-0x00000000FF694550-mapping.dmp
        Download
      • memory/996-64-0x00000000FF670000-0x00000000FF6C1000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1944-59-0x0000000001BA0000-0x0000000001C7C000-memory.dmp
        Filesize

        880KB

        Download