Overview

overview

10

Static

static

URLScan

urlscan

http://194.62.42.235...

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://194.62.42.235/bmdff/qNM1ENwTaWf9b4TnsxWFa/D2mDljTIpH84VoWGt9/8/0x9A/l1sosKkxIzLLPRec1sHp0HDv0qZ5JZgepepwL/50CHuQXhQwlBJJ88gIaR0bMf4lOf2VCl193vBJqbSTCn/34690/lilu6?page=hBivV6h9LXV&cid=kbQb5vhYh8g1vP8MSMLdX&q=RQ6xbT0R051JW8vD3ghxXbHUK&time=0MnqPpO0PHfV4SzaaE6acg&=qEUZlR5qKFTaQTlPmSSvwusL&AJ=rdYw&user=qtjdzjfS9lydUTGj3NE&pSDT=myvEyBosrngmt&page=DYkgous&time=r82Uv

  • Sample

    210929-ww622afee9

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Targets

    • Target

      http://194.62.42.235/bmdff/qNM1ENwTaWf9b4TnsxWFa/D2mDljTIpH84VoWGt9/8/0x9A/l1sosKkxIzLLPRec1sHp0HDv0qZ5JZgepepwL/50CHuQXhQwlBJJ88gIaR0bMf4lOf2VCl193vBJqbSTCn/34690/lilu6?page=hBivV6h9LXV&cid=kbQb5vhYh8g1vP8MSMLdX&q=RQ6xbT0R051JW8vD3ghxXbHUK&time=0MnqPpO0PHfV4SzaaE6acg&=qEUZlR5qKFTaQTlPmSSvwusL&AJ=rdYw&user=qtjdzjfS9lydUTGj3NE&pSDT=myvEyBosrngmt&page=DYkgous&time=r82Uv

    Score
    10/10
    bazarbackdoorbazarloaderbackdoordropperloader

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

      backdoorbazarbackdoor

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Downloads MZ/PE file

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v6

Tasks