Overview

overview

10

Static

static

6bf2a52b57...f9.dll

windows7_x64

10

6bf2a52b57...f9.dll

windows10_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    154s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6bf2a52b5755de865d691045806936f9.dll

  • Size

    353KB

  • MD5

    6bf2a52b5755de865d691045806936f9

  • SHA1

    70c164d08608478ba36e1479f0277dffc4fd951f

  • SHA256

    5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e

  • SHA512

    b7a3c199e2ae2904907726b831ba00222c734e69079574aa6ddbf023bbe5cb922a7cbd0130f3557b67ccc624264fb516824e1087fde4fbcce3681b66c16782bf

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6bf2a52b5755de865d691045806936f9.dll
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      2⤵
        PID:3396
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6bf2a52b5755de865d691045806936f9.dll,DllRegisterServer {9612463D-E44A-43E0-B9DC-81C04F80E835}
      1⤵
        PID:4052

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1892-115-0x0000000345021000-0x0000000345048000-memory.dmp

        Filesize

        156KB

        Download

      • memory/3396-117-0x00007FF7FE190000-0x00007FF7FE1DB000-memory.dmp

        Filesize

        300KB

        Download

      • memory/3396-118-0x00007FF7FE1B4730-mapping.dmp

        Download

      • memory/3396-119-0x00007FF7FE190000-0x00007FF7FE1DB000-memory.dmp

        Filesize

        300KB

        Download