Resubmissions

31-10-2021 06:34

211031-hbtpbaffb7 10

29-10-2021 13:36

211029-qwckjaabcq 10

General

  • Target

    main.php

  • Size

    329KB

  • Sample

    211031-hbtpbaffb7

  • MD5

    9c9b58c38841af6f89ff90a746d63cec

  • SHA1

    95481d6dfa4660bd24ac519561269b6fbd4571c1

  • SHA256

    11f3d84aad7131fe124155c9edfceb594649e87de1ee03383f470442d6ed69a1

  • SHA512

    7b32798e4652f05861cdb5e03abb1eeebe4183c4f5411cc73166fc1e31dab37c00104e3cc035b2fc9c8c3300b561c17b9cffccc8af79fbc78ea2b1b1e721b518

Malware Config

Targets

    • Target

      main.php

    • Size

      329KB

    • MD5

      9c9b58c38841af6f89ff90a746d63cec

    • SHA1

      95481d6dfa4660bd24ac519561269b6fbd4571c1

    • SHA256

      11f3d84aad7131fe124155c9edfceb594649e87de1ee03383f470442d6ed69a1

    • SHA512

      7b32798e4652f05861cdb5e03abb1eeebe4183c4f5411cc73166fc1e31dab37c00104e3cc035b2fc9c8c3300b561c17b9cffccc8af79fbc78ea2b1b1e721b518

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks