Overview

overview

10

Static

static

URLScan

urlscan

http://194.62.42.238...

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://194.62.42.238/bmdff/NYp6E8NZ/69bMxpjXQ8sjdaCtoQevz1i1u1f6mH5lTo/kXJbmJ0tdz1iCNfKNfErriJrNMplz1cgYT2MKIpZ5/uJ67nSRTegX496/J7114vbdL03HTQtr4INSnQQ1oYZiei4/xpIgURh79MRasZs1zRvJHd0W/pHmgFDP9hOcUcQaSUPXT/lilu7?page=1upXSR0bnx&ref=80hJKlk0X3lOQl97&7pB04C9kle=6Od13N23n8GqPcBf&ref=7ojE6tyeOxSXlN8NiYFfJhjf

  • Sample

    210929-w5jcbsffdm

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Targets

    • Target

      http://194.62.42.238/bmdff/NYp6E8NZ/69bMxpjXQ8sjdaCtoQevz1i1u1f6mH5lTo/kXJbmJ0tdz1iCNfKNfErriJrNMplz1cgYT2MKIpZ5/uJ67nSRTegX496/J7114vbdL03HTQtr4INSnQQ1oYZiei4/xpIgURh79MRasZs1zRvJHd0W/pHmgFDP9hOcUcQaSUPXT/lilu7?page=1upXSR0bnx&ref=80hJKlk0X3lOQl97&7pB04C9kle=6Od13N23n8GqPcBf&ref=7ojE6tyeOxSXlN8NiYFfJhjf

    Score
    10/10
    bazarbackdoorbazarloaderbackdoordropperloader

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

      backdoorbazarbackdoor

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Downloads MZ/PE file

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks