bazarbackdoor | fa0370ff42dc286e42ccdb8f11010d301f4e497b4e00b245a78ba78254b26d6c

Analysis

Target

7ff6ef240000.svchost.exe
Size

284KB
MD5

6a736aa551f569447c69adc60d6a52a9
SHA1

fc6de6d9ed272e144ae9c53e847bcd597027fecd
SHA256

fa0370ff42dc286e42ccdb8f11010d301f4e497b4e00b245a78ba78254b26d6c
SHA512

0a1ef4305adf67fbf9eadeaf0616e6e66f8a721022cc7e32278257b8ae0b10d772077df7c6b833b1ac88ee9a0c89f9f1636f2eaeaba9b164b48982a355356fda

Score

10^/10

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1588-59-0x0000000000010000-0x000000000005D000-memory.dmp	BazarBackdoorVar4

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1460 1588 WerFault.exe 7ff6ef240000.svchost.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1460 WerFault.exe
1460 WerFault.exe
1460 WerFault.exe
1460 WerFault.exe
1460 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1460 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1460 WerFault.exe

pid	pid_target	process	target process
1460	1588	WerFault.exe	7ff6ef240000.svchost.exe

pid	process
1460	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1460	WerFault.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7ff6ef240000.svchost.exe

description	pid	process	target process
PID 1588 wrote to memory of 1460	1588	7ff6ef240000.svchost.exe	WerFault.exe
PID 1588 wrote to memory of 1460	1588	7ff6ef240000.svchost.exe	WerFault.exe
PID 1588 wrote to memory of 1460	1588	7ff6ef240000.svchost.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7ff6ef240000.svchost.exe
"C:\Users\Admin\AppData\Local\Temp\7ff6ef240000.svchost.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1588 -s 96
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1460

memory/1460-60-0x0000000000000000-mapping.dmp

Download
memory/1460-61-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1460-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1588-59-0x0000000000010000-0x000000000005D000-memory.dmp

Filesize
308KB

Download