bazarbackdoor | fd191c44be496e249149130aca11cfcc5db336f961c0ea406672c2acb59ca6a0

General

Target

accessClean.jpg.dll
Size

697KB
MD5

881b324a90273c109096ad480a147376
SHA1

93e5854614e861693a5d930c132ca4674bf9703d
SHA256

fd191c44be496e249149130aca11cfcc5db336f961c0ea406672c2acb59ca6a0
SHA512

a9658fccd3ad8dd73ed68c208006b4772a2774cd0fa6cf3172f6f2a9d43e23cf9f44b616fc4ef0eff46d1f753c85398747e52954ead82ca81844262708ac5e37

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3836-117-0x00007FF790660000-0x00007FF7906AB000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/3836-118-0x00007FF790684AB0-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/3836-119-0x00007FF790660000-0x00007FF7906AB000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1860-115-0x0000000000CD0000-0x0000000000CE8000-memory.dmp	BazarLoaderVar6
behavioral2/memory/2160-116-0x0000028340D10000-0x0000028340D28000-memory.dmp	BazarLoaderVar6

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1860 set thread context of 3836 1860 regsvr32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exe

pid process

1860 regsvr32.exe
1860 regsvr32.exe
1860 regsvr32.exe
1860 regsvr32.exe
1860 regsvr32.exe
1860 regsvr32.exe

description	pid	process	target process
PID 1860 set thread context of 3836	1860	regsvr32.exe	svchost.exe

pid	process
1860	regsvr32.exe
1860	regsvr32.exe
1860	regsvr32.exe
1860	regsvr32.exe
1860	regsvr32.exe
1860	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe
PID 1860 wrote to memory of 3836	1860	regsvr32.exe	svchost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accessClean.jpg.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  2⤵
  PID:3836

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\accessClean.jpg.dll,DllRegisterServer {B1D1A3B3-B622-4D2E-975B-BEBD0748212A}
1⤵
PID:2160

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1860-115-0x0000000000CD0000-0x0000000000CE8000-memory.dmp

Filesize
96KB

Download
memory/2160-116-0x0000028340D10000-0x0000028340D28000-memory.dmp

Filesize
96KB

Download
memory/3836-117-0x00007FF790660000-0x00007FF7906AB000-memory.dmp

Filesize
300KB

Download
memory/3836-118-0x00007FF790684AB0-mapping.dmp

Download
memory/3836-119-0x00007FF790660000-0x00007FF7906AB000-memory.dmp

Filesize
300KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads