Resubmissions
24-08-2021 15:46
210824-t6hzlqqj4a 1024-08-2021 15:30
210824-gm7skbgnee 1024-08-2021 15:27
210824-68px7xses6 1024-08-2021 15:17
210824-2783vynafn 1004-08-2021 16:51
210804-8pmmxqpdzn 10Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-08-2021 15:27
Static task
static1
Behavioral task
behavioral1
Sample
JVrLyRD.dat.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
JVrLyRD.dat.dll
Resource
win10v20210408
General
-
Target
JVrLyRD.dat.dll
-
Size
242KB
-
MD5
12e60d21fd9c8675368635ea5246e393
-
SHA1
60ae64cd005f862797279fb151c9a0433b8e654c
-
SHA256
70c2422033dd395c0a6c15b5e6dbdde34aa65b7481d4b8298e70e0c3e72a2182
-
SHA512
6509c404b274af6250a241b441558d010729da12bbad47dd59c2da5a7480f682ff8c5bfeace9b2bc65db22f212b6399cd74f3f25ae22354db0ca8e06d85ed189
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 3 IoCs
resource yara_rule behavioral2/memory/3832-115-0x00007FF634940000-0x00007FF634991000-memory.dmp BazarBackdoorVar4 behavioral2/memory/3832-116-0x00007FF634964580-mapping.dmp BazarBackdoorVar4 behavioral2/memory/3832-117-0x00007FF634940000-0x00007FF634991000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/632-114-0x0000000002A20000-0x0000000002BB7000-memory.dmp BazarLoaderVar6 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 632 set thread context of 3832 632 regsvr32.exe 77 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 632 regsvr32.exe 632 regsvr32.exe 632 regsvr32.exe 632 regsvr32.exe 632 regsvr32.exe 632 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77 PID 632 wrote to memory of 3832 632 regsvr32.exe 77
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JVrLyRD.dat.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵PID:3832
-