bazarbackdoor | 70c2422033dd395c0a6c15b5e6dbdde34aa65b7481d4b8298e70e0c3e72a2182

Target

JVrLyRD.dat.dll
Size

242KB
MD5

12e60d21fd9c8675368635ea5246e393
SHA1

60ae64cd005f862797279fb151c9a0433b8e654c
SHA256

70c2422033dd395c0a6c15b5e6dbdde34aa65b7481d4b8298e70e0c3e72a2182
SHA512

6509c404b274af6250a241b441558d010729da12bbad47dd59c2da5a7480f682ff8c5bfeace9b2bc65db22f212b6399cd74f3f25ae22354db0ca8e06d85ed189

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/784-62-0x00000000FF6E4580-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/784-61-0x00000000FF6C0000-0x00000000FF711000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/784-65-0x00000000FF6C0000-0x00000000FF711000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1756-60-0x0000000001E60000-0x0000000001FF7000-memory.dmp	BazarLoaderVar6

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1756 set thread context of 784 1756 regsvr32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

regsvr32.exe

pid process

1756 regsvr32.exe
1756 regsvr32.exe
1756 regsvr32.exe

description	pid	process	target process
PID 1756 set thread context of 784	1756	regsvr32.exe	svchost.exe

pid	process
1756	regsvr32.exe
1756	regsvr32.exe
1756	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe
PID 1756 wrote to memory of 784	1756	regsvr32.exe	svchost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JVrLyRD.dat.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  2⤵
  PID:784

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
daccdf14d6f6f2ff7e1f8690e2cb7d4b

SHA1
275b8d2064b2b730e37fdb15040b1f1aaaec7f46

SHA256
4b2cb711b026a85705aa3b95f2f490b65fe6541c4290973efd791de112eb7910

SHA512
33df0e38bf7103d3bef37d113af39b5f0db1a3dc03983159ed7ba2a076c0ec6c0e3948f3ceb3130bc9cbdc99975baeaca74dbe10edc5bbcfe74b34a53b76bb89

Download Submit
memory/784-62-0x00000000FF6E4580-mapping.dmp

Download
memory/784-61-0x00000000FF6C0000-0x00000000FF711000-memory.dmp

Filesize
324KB

Download
memory/784-65-0x00000000FF6C0000-0x00000000FF711000-memory.dmp

Filesize
324KB

Download
memory/1756-59-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

Filesize
8KB

Download
memory/1756-60-0x0000000001E60000-0x0000000001FF7000-memory.dmp

Filesize
1.6MB

Download