bazarbackdoor | da252ac622459986b510cb100215f6b064b6da8bba74d4c3f6a69fa55b0ca7ea | Triage

Submit
Reports

Overview

overview

Static

static

Stolen Ima...nce.js

windows10_x64

Stolen Ima...nce.js

windows10_x64

Resubmissions

07-10-2021 22:07

211007-116dhsdbek 10

07-10-2021 21:50

211007-1p5b3schd7 10

Sharing

General

Target

Stolen Images Evidence.zip
Size

5KB
Sample

211007-116dhsdbek
MD5

bca68744a2ebca6009cdb51136e182bd
SHA1

0c887ca35a6965b1fcbbe3486e56f3ba06121d2c
SHA256

da252ac622459986b510cb100215f6b064b6da8bba74d4c3f6a69fa55b0ca7ea
SHA512

21beb88351530226af3b89e916f785c4bfe2b494383fd23a45f177d4296b16abc7df33ab747cbd137dbe2cd3ac4466feec288e449bfbb4192ca5e8356c269f6f

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Static task

static1

Behavioral task

behavioral1

Sample

Stolen Images Evidence.js

Resource

win10-en-20210920

bazarloader dropper loader

windows10_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

Stolen Images Evidence.js

Resource

win10-en-20210920

bazarbackdoor bazarloader backdoor dropper loader

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://mopuketo.space/333g100/index.php

Targets

- Target
  
  Stolen Images Evidence.js
- Size
  
  18KB
- MD5
  
  72217c4045c79d272f61a11845b6b660
- SHA1
  
  19d37ee5bf8cf53fcf6c24a5d2635a3c4dbb1a81
- SHA256
  
  4540b8ddc48ded9be70cbefdd11a5c2f3745f684adac2d7a3ca5976cb811104d
- SHA512
  
  250ffe4fd5ff60206fc39a225ad8318ae206fb883ed8246180b2a867f75b67dabfff5eed4f29e7c9a1396b6874906132dbd7ad13976b55e2c5769d359be27823
Score

10^/10

bazarloader dropper loader bazarbackdoor backdoor
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazar/Team9 Backdoor payload
- Bazar/Team9 Loader payload
- Blocklisted process makes network request
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

bazarloaderdropperloader

behavioral2

bazarbackdoorbazarloaderbackdoordropperloader

© 2018-2024

Terms | Privacy