Overview

overview

10

Static

static

zas8.dll

windows7_x64

10

zas8.dll

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zas8.zip

  • Size

    178KB

  • Sample

    211021-2w6zxsbger

  • MD5

    1fb6b7560707ee9185fe265c1ce9ad06

  • SHA1

    efdff025d9bbf27690a992e9a6258b58ad74c199

  • SHA256

    b4fa00fb44fe8433bcdddc473018f1c34aac4c6022200c3bb9edef0bbb2e5757

  • SHA512

    25faa99de729dfc907c6e3bac92133a44468c087945c9d25df48e8e74206edeb99c6fce544c04668d192bb1f709ccf4ac82b2077a0d0eb32278843fd4794a694

Score
10/10
bazarloaderdropperloadersuricata

Malware Config

Targets

    • Target

      zas8

    • Size

      341KB

    • MD5

      cdcd4487dad0a1d43fca2376a895c516

    • SHA1

      342bab7e1ed48a969bd68a063c56173b9bcff3bc

    • SHA256

      c1a12ae2564e0cd19ce6239ab1d635c1ef590f3fb8cab2a3f6ea822eaaf1af4e

    • SHA512

      68899b3efa9290581e043c80dc915ab9e25e4582f2395fcc5593e4dd94c27bb1cbfad23439a1d7f412581a179590c4b658d07b3cd4d16295b06789e277f42496

    Score
    10/10
    bazarloaderdropperloadersuricata

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE BazaLoader Activity (GET)

      suricata: ET MALWARE BazaLoader Activity (GET)

      suricata

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks