General
-
Target
diretto_09.21.doc
-
Size
131KB
-
Sample
210930-bsxzqsgbbk
-
MD5
b00b548fde0aed1436f7ec6f9a87b007
-
SHA1
6a54bc7bc4f8a7c6747e26733482bda28d8e3054
-
SHA256
8d9a5a1713cf71f93f7a79045d329f690233df1273e2eba1e9f0dc6dae28411a
-
SHA512
3003ec06428c49459a79f6a78322ff3d10a5cab499ed1897a78ebdf052b1bd289518c8d89c21e2171cfeec6c46203cdfbe63aef444f34522124647f38cba0aa6
Malware Config
Targets
-
-
Target
diretto_09.21.doc
-
Size
131KB
-
MD5
b00b548fde0aed1436f7ec6f9a87b007
-
SHA1
6a54bc7bc4f8a7c6747e26733482bda28d8e3054
-
SHA256
8d9a5a1713cf71f93f7a79045d329f690233df1273e2eba1e9f0dc6dae28411a
-
SHA512
3003ec06428c49459a79f6a78322ff3d10a5cab499ed1897a78ebdf052b1bd289518c8d89c21e2171cfeec6c46203cdfbe63aef444f34522124647f38cba0aa6
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Bazar/Team9 Backdoor payload
-
Bazar/Team9 Loader payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Loads dropped DLL
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-