bazarbackdoor | fd191c44be496e249149130aca11cfcc5db336f961c0ea406672c2acb59ca6a0

General

Target

accessClean.jpg.dll
Size

697KB
MD5

881b324a90273c109096ad480a147376
SHA1

93e5854614e861693a5d930c132ca4674bf9703d
SHA256

fd191c44be496e249149130aca11cfcc5db336f961c0ea406672c2acb59ca6a0
SHA512

a9658fccd3ad8dd73ed68c208006b4772a2774cd0fa6cf3172f6f2a9d43e23cf9f44b616fc4ef0eff46d1f753c85398747e52954ead82ca81844262708ac5e37

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3120-117-0x00007FF787B00000-0x00007FF787B4B000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/3120-118-0x00007FF787B24AB0-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/3120-119-0x00007FF787B00000-0x00007FF787B4B000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3524-115-0x00000000013F0000-0x0000000001408000-memory.dmp	BazarLoaderVar6
behavioral1/memory/3728-116-0x000002BE1D510000-0x000002BE1D528000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
180	ucekwyed.bazar
158	etuhuhem.bazar
178	etacwyyw.bazar
261	izudided.bazar
269	lisouhom.bazar
84	bielwyem.bazar
185	liidwyom.bazar
250	aqemided.bazar
235	agacuhem.bazar
241	ypcuekem.bazar
273	owekided.bazar
36	bluehail.bazar
58	vuewwyed.bazar
184	ehcuidyw.bazar
157	izsoekyw.bazar
83	owacidyw.bazar
93	ufwyuhom.bazar
124	biewuhed.bazar
194	huemuhom.bazar
230	biqeuhom.bazar
123	iqekekom.bazar
141	ehibuhem.bazar
191	ydedidom.bazar
236	exeleked.bazar
62	hutoekyw.bazar
149	owudwyem.bazar
150	exwyided.bazar
99	liemekom.bazar
226	tuwywyem.bazar
210	biedided.bazar
245	tywywyed.bazar
130	exudwyyw.bazar
156	ufemwyed.bazar
190	biibwyyw.bazar
54	agekidem.bazar
137	ucemwyem.bazar
200	ucewekom.bazar
183	tuomeked.bazar
225	tyudidyw.bazar
131	huwyidem.bazar
224	ehywekom.bazar
256	agtoekyw.bazar
77	tuedwyyw.bazar
81	fusouhem.bazar
98	ehonuhyw.bazar
148	ydywidyw.bazar
38	aqsouhyw.bazar
181	ehewekyw.bazar
242	ufiduhed.bazar
120	tuuhwyom.bazar
126	owomidom.bazar
223	uciduhem.bazar
46	exacuhed.bazar
139	tyuhuhyw.bazar
167	biywidem.bazar
204	ehidwyed.bazar
214	ydsowyem.bazar
92	ypudekyw.bazar
219	ufewwyyw.bazar
107	exomidem.bazar
90	vuididom.bazar
195	agsoeked.bazar
215	aguhidom.bazar
271	biacidyw.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 31 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3524 set thread context of 3120 3524 regsvr32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exe

pid process

3524 regsvr32.exe
3524 regsvr32.exe
3524 regsvr32.exe
3524 regsvr32.exe
3524 regsvr32.exe
3524 regsvr32.exe

description	flow	ioc
HTTP URL	31	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	pid	process	target process
PID 3524 set thread context of 3120	3524	regsvr32.exe	svchost.exe

pid	process
3524	regsvr32.exe
3524	regsvr32.exe
3524	regsvr32.exe
3524	regsvr32.exe
3524	regsvr32.exe
3524	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe
PID 3524 wrote to memory of 3120	3524	regsvr32.exe	svchost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\accessClean.jpg.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  2⤵
  PID:3120

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\accessClean.jpg.dll,DllRegisterServer {179DD6C7-64BF-458C-AB10-45DDFBE4B706}
1⤵
PID:3728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\8DuoXldd1a[1]

MD5
eeebfcc3b7dba60ade87fdb30d96ba70

SHA1
1f56c16ccc0680c99f97752537e16f75d2860fba

SHA256
039937372f41de224fa2769b08f557af0e3a7b876ec2e26b74a044805a51f98e

SHA512
8e9ee0cc3817c1b238c22a87c77a811dd041c15a1d71ff3fd3bd87b9b7951f20e8c1d6302b7fef940994cf79db7835ac0709768e75e12ac0eff6136843e419af

Download Submit
memory/3120-117-0x00007FF787B00000-0x00007FF787B4B000-memory.dmp

Filesize
300KB

Download
memory/3120-118-0x00007FF787B24AB0-mapping.dmp

Download
memory/3120-119-0x00007FF787B00000-0x00007FF787B4B000-memory.dmp

Filesize
300KB

Download
memory/3524-115-0x00000000013F0000-0x0000000001408000-memory.dmp

Filesize
96KB

Download
memory/3728-116-0x000002BE1D510000-0x000002BE1D528000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads