bazarbackdoor | 016a36baa939016b069f379a632769eca6e77639543283583b1d5b675065279f

General

Target

UAKahml.dat.dll
Size

512KB
MD5

6e2316bb2c6cb9c5e3c26398574e5548
SHA1

81be2c346afec4bc248f6332bcb287b3bb6ea547
SHA256

016a36baa939016b069f379a632769eca6e77639543283583b1d5b675065279f
SHA512

c8efe49ab78db3f9e7e246ecd3624d91d16f076409414181a006e336640fc9b388acc8252a462241ca52afd6bc8265036fb40eff8e631c2f347af2389b821455

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2168-116-0x00007FF73C500000-0x00007FF73C54A000-memory.dmp	BazarBackdoorVar4
behavioral2/memory/2168-117-0x00007FF73C524110-mapping.dmp	BazarBackdoorVar4
behavioral2/memory/2168-118-0x00007FF73C500000-0x00007FF73C54A000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2384-115-0x00000000006D0000-0x00000000006F8000-memory.dmp	BazarLoaderVar6

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 2384 set thread context of 2168 2384 regsvr32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exe

pid process

2384 regsvr32.exe
2384 regsvr32.exe
2384 regsvr32.exe
2384 regsvr32.exe
2384 regsvr32.exe
2384 regsvr32.exe

description	pid	process	target process
PID 2384 set thread context of 2168	2384	regsvr32.exe	svchost.exe

pid	process
2384	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe
2384	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe
PID 2384 wrote to memory of 2168	2384	regsvr32.exe	svchost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\UAKahml.dat.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  2⤵
  PID:2168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\system32\regsvr32.exe,DllRegisterServer {D87E2AB3-BD1F-4E89-8EA4-0A714A41BA21}
1⤵
PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2168-116-0x00007FF73C500000-0x00007FF73C54A000-memory.dmp

Filesize
296KB

Download
memory/2168-117-0x00007FF73C524110-mapping.dmp

Download
memory/2168-118-0x00007FF73C500000-0x00007FF73C54A000-memory.dmp

Filesize
296KB

Download
memory/2384-115-0x00000000006D0000-0x00000000006F8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads