General
-
Target
documents.010.21.doc
-
Size
34KB
-
Sample
211022-vwzghsbhd3
-
MD5
f869be235ac0196ca99e14cc06486306
-
SHA1
2bfd9a48321eef1e2458caf1559080aa213cadf4
-
SHA256
1b69a8362748d0d810262dd461bdb1bb778273f2760071bc773fe98b4f510cb4
-
SHA512
658622b3e5942421f7f062628ff5328242c07057ac450210b46977cc8d5684f2bdf87687b8e1023d8b6c7b5661710546be6ae2e9016f7fc9a0afee92bd1f9a31
Malware Config
Targets
-
-
Target
documents.010.21.doc
-
Size
34KB
-
MD5
f869be235ac0196ca99e14cc06486306
-
SHA1
2bfd9a48321eef1e2458caf1559080aa213cadf4
-
SHA256
1b69a8362748d0d810262dd461bdb1bb778273f2760071bc773fe98b4f510cb4
-
SHA512
658622b3e5942421f7f062628ff5328242c07057ac450210b46977cc8d5684f2bdf87687b8e1023d8b6c7b5661710546be6ae2e9016f7fc9a0afee92bd1f9a31
Score10/10-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Bazar/Team9 Loader payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Tries to connect to .bazar domain
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-