Resubmissions

28-10-2021 03:09

211028-dnmdjshag8 10

28-10-2021 03:05

211028-dljjwahag3 10

General

  • Target

    5783209540485120.zip

  • Size

    361KB

  • Sample

    211028-dnmdjshag8

  • MD5

    bbbd086e780ddd6a27876e802625f4d2

  • SHA1

    bf0031e8d6cca5a3460dd8077587d038ee4048c5

  • SHA256

    8fa3a8b1a4fcfb8b01a3b45343a607b85912b3558dc5f81fa6f1e8258e2afc05

  • SHA512

    0c3947d1740f9eead872caa3447e0cc01bceaacab55f671314119251656334ba8f8d535ae5f0d89cd0609c5783e7e5af897249724007fd316714240a4385d8db

Malware Config

Targets

    • Target

      085a61a6665300691ccc02d742e3005fc6126db1f832fb71d40220ee93a5fdb9

    • Size

      601KB

    • MD5

      246de6e6c0a4a07deb3abc50dd3243d6

    • SHA1

      6f3cb2960cd407be7c79e5f80b3506631eba8d84

    • SHA256

      085a61a6665300691ccc02d742e3005fc6126db1f832fb71d40220ee93a5fdb9

    • SHA512

      01704dd036598be0ff867a9979202b8fc6b82b8bb2abf14dc36f80bd3ef0b98af03623888b9287dc0f3ef85b6394a67ae13d9f46cb1203154839ecfc27f5a537

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks