bazarbackdoor | 96d5aaa8342c344fdae21fe8fc414bed055f075435129e9e81d77667be7bb946 | Triage

Submit
Reports

Overview

overview

Static

static

aprilAcces......hTa

windows7_x64

aprilAcces......hTa

windows10_x64

1

Sharing

General

Target

aprilAccessWindows...hTa
Size

3KB
Sample

210930-by8y7agbbp
MD5

a7297781b5aecf4513d5a7a866e6281a
SHA1

a2c2d1365a122bd28b23426db3807ca712bc354a
SHA256

96d5aaa8342c344fdae21fe8fc414bed055f075435129e9e81d77667be7bb946
SHA512

09b297ecf0dbc561d3e8b249ce3bfacb1a17000e507caf116778656b665262a8144a2190f844c087f7e4ce357f656888c5e6867650739ebcd51b91330a6248d2

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Static task

static1

Behavioral task

behavioral1

Sample

aprilAccessWindows...hTa

Resource

win7-en-20210920

bazarbackdoor bazarloader backdoor dropper loader

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

aprilAccessWindows...hTa

Resource

win10v20210408

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  aprilAccessWindows...hTa
- Size
  
  3KB
- MD5
  
  a7297781b5aecf4513d5a7a866e6281a
- SHA1
  
  a2c2d1365a122bd28b23426db3807ca712bc354a
- SHA256
  
  96d5aaa8342c344fdae21fe8fc414bed055f075435129e9e81d77667be7bb946
- SHA512
  
  09b297ecf0dbc561d3e8b249ce3bfacb1a17000e507caf116778656b665262a8144a2190f844c087f7e4ce357f656888c5e6867650739ebcd51b91330a6248d2
Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazar/Team9 Backdoor payload
- Bazar/Team9 Loader payload
- Blocklisted process makes network request
- Downloads MZ/PE file
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bazarbackdoorbazarloaderbackdoordropperloader

behavioral2

© 2018-2024

Terms | Privacy