Overview

overview

10

Static

static

Documents.lnk

windows7_x64

10

Documents.lnk

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    new-documents-1048.iso

  • Size

    654KB

  • Sample

    211026-sg4rkshge5

  • MD5

    96e1b327cd6b8b5b5817dda1076f1a89

  • SHA1

    36630576f76b70e8ba990c52429d1d50cd0a1709

  • SHA256

    6a12f82afe261ec856bf1e72aa7767d5f05f9276e2558f1b4bf325af197a40f1

  • SHA512

    b78e9f6551ce75bd35d383ed89893d25eb94b36bf2fd3642222551ecf5d18be3a1708880af8d4066ff553591ac4d464d98352d4f7970cece6e27d959e52b1883

Score
10/10
bazarloaderdropperloader

Malware Config

Targets

    • Target

      Documents.lnk

    • Size

      1KB

    • MD5

      4d8af5ba95aa23f7162b7bbf8622d801

    • SHA1

      d5b8c1a219686be5b75e58c560609023b491d9aa

    • SHA256

      e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162

    • SHA512

      f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c

    Score
    10/10
    bazarloaderdropperloader

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks