anchordns | d4bee9cf6a3a6b8c8d3e49622c125a9afdbefcb7d9aca3b4b33b73916c6730cc | Triage

Analysis

max time kernel
148s
max time network
161s
platform
windows10_x64
resource
win10v20210408
submitted
03-08-2021 14:53

Sharing

Report Analysis Logs

General

Target

f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe
Size

663KB
MD5

faa84badf9eee5c7ab7c727f7ffe2c4f
SHA1

7b7923d89bb8d564b8be409476652d8005e19fba
SHA256

f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348
SHA512

42a27e1dc0106c032f1c5b11085573b97c092114d807d354b93788688e2dcd21c30c3d915c5365248ba5b77d155246a1c98d11336d2f16b66d71e0e386b40b63

Score

10^/10

anchordns backdoor suricata

Malware Config

Signatures

AnchorDNS Backdoor
A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
backdoor anchordns

Detected AnchorDNS Backdoor 1 IoCs

Sample triggered yara rules associated with the AnchorDNS malware family.

resource	yara_rule
behavioral2/files/0x000100000001ab1c-114.dat	family_anchor_dns

suricata: ET MALWARE Anchor_DNS Trickbot DNS CnC Command - Sending Data
suricata

Executes dropped EXE 1 IoCs

pid	Process
4060	f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe:$TASK	f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe:$FILE	f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe: data	f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe

C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe
"C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe"
1⤵
- NTFS ADS
PID:3492

C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe
C:\Users\Admin\AppData\Local\Temp\f93b838dc89e7d3d47b1225c5d4a7b706062fd8a0f380b173c099d0570814348.exe -u
1⤵
- Executes dropped EXE
- NTFS ADS
PID:4060

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads