Resubmissions

07-10-2021 22:07

211007-116dhsdbek 10

07-10-2021 21:50

211007-1p5b3schd7 10

General

  • Target

    Stolen Images Evidence.zip

  • Size

    5KB

  • Sample

    211007-116dhsdbek

  • MD5

    bca68744a2ebca6009cdb51136e182bd

  • SHA1

    0c887ca35a6965b1fcbbe3486e56f3ba06121d2c

  • SHA256

    da252ac622459986b510cb100215f6b064b6da8bba74d4c3f6a69fa55b0ca7ea

  • SHA512

    21beb88351530226af3b89e916f785c4bfe2b494383fd23a45f177d4296b16abc7df33ab747cbd137dbe2cd3ac4466feec288e449bfbb4192ca5e8356c269f6f

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://mopuketo.space/333g100/index.php

Targets

    • Target

      Stolen Images Evidence.js

    • Size

      18KB

    • MD5

      72217c4045c79d272f61a11845b6b660

    • SHA1

      19d37ee5bf8cf53fcf6c24a5d2635a3c4dbb1a81

    • SHA256

      4540b8ddc48ded9be70cbefdd11a5c2f3745f684adac2d7a3ca5976cb811104d

    • SHA512

      250ffe4fd5ff60206fc39a225ad8318ae206fb883ed8246180b2a867f75b67dabfff5eed4f29e7c9a1396b6874906132dbd7ad13976b55e2c5769d359be27823

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks