Overview

overview

10

Static

static

9dcbff0945...86.dll

windows7_x64

10

9dcbff0945...86.dll

windows10_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll

  • Size

    142KB

  • MD5

    95ac6fda2d58ac5de7fd19220443e808

  • SHA1

    666d8b10f5b39aec23bb67d7f03288c8dbcd45d8

  • SHA256

    9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86

  • SHA512

    3db7c4e7ea8338b99e1c38a7cb00c838cce734ae614342bb69aa43f89215ce05ed09461e62bf2b3d89bd5472b0559a9105b8a6a4216dd19d26ea190e4aa7931c

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      2⤵
        PID:588
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9dcbff0945ffba2e5e8b4dc03dd89f85346d9919c7084bed59671a003bd1eb86.dll,#1 543985734
      1⤵
        PID:1636

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        MD5

        2902de11e30dcc620b184e3bb0f0c1cb

        SHA1

        5d11d14a2558801a2688dc2d6dfad39ac294f222

        SHA256

        e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

        SHA512

        efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

        Download Submit
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        MD5

        c2a8786e753aa13f05665e383d7ea3ac

        SHA1

        82af30ba72e1952e3b5808cdd613312d5c05ff5b

        SHA256

        08cda9554078339dc539114376af62fc57a8ba9c7372745d03d9c57f9c7620be

        SHA512

        6d151fc6000236360bf046203802a078a0f9d4f555cf23ea4b60b0b80e322d044ab0be609fa3bc03a7e82ffadd624709235d09dd3243a5cf299ae1fa9b83e333

        Download Submit
      • memory/588-61-0x00000000FFFF44E0-mapping.dmp
        Download
      • memory/588-60-0x00000000FFFD0000-0x0000000100021000-memory.dmp
        Filesize

        324KB

        Download
      • memory/588-62-0x00000000FFFD0000-0x0000000100021000-memory.dmp
        Filesize

        324KB

        Download
      • memory/1104-59-0x0000000001C50000-0x0000000001D2C000-memory.dmp
        Filesize

        880KB

        Download
      • memory/1636-65-0x0000000001BF0000-0x0000000001CCC000-memory.dmp
        Filesize

        880KB

        Download