Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

General

  • Target

    SquirrelWaffle_13Oct.zip

  • Size

    8.9MB

  • Sample

    211031-k1bwxacfaq

  • MD5

    ec83f517a76991c651605295f3dcb01a

  • SHA1

    6fe41b2304b595a821aeca4d00dfd7466ecf5f50

  • SHA256

    9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2

  • SHA512

    b4847e665d4debf75dfca30ce79229cb27cef44047804253c67c8c7134fb7e617e2a597d3cec4dc28875d142dca3aa90ff46fc84a196bcd37ba2baeb21a02ed8

Malware Config

Extracted

Family

qakbot

Version

402.363

Botnet

notset

Campaign

1632819510

C2

196.217.156.63:995

120.150.218.241:995

95.77.223.148:443

185.250.148.74:443

181.118.183.94:443

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597626

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633334141

C2

75.75.179.226:443

185.250.148.74:443

122.11.220.212:2222

120.150.218.241:995

103.148.120.144:443

140.82.49.12:443

40.131.140.155:995

206.47.134.234:2222

73.230.205.91:443

190.198.206.189:2222

103.157.122.198:995

81.250.153.227:2222

167.248.100.227:443

96.57.188.174:2078

217.17.56.163:2222

217.17.56.163:2078

41.228.22.180:443

136.232.34.70:443

68.186.192.69:443

167.248.111.245:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

squirrelwaffle

C2

http://agora.360cyberlink.com/wpuDolwbH9c9

http://panel.betfredtakeaway.com/awJPDGElQ

http://believeinus.net/S6y8WsHm

http://onlinecourses.mirrainternationaluniversity.com/VnCSkt13PkuT

http://reward.tyrehamperpromotion.co.uk/GWJ3gHMtUdk

http://panels.betfredtakeaway.com/0PKIQI4OFxD

http://ambassade-mauritanie-rabat.net/hovwkJJaIt8

http://bitcoinup.bafflepoetry.org/uTyCcQUDkCX3

http://pwcgov-x.gq/doMZFSHYs

http://business-a.ml/lDyw7Vs3x

http://unifarma.com.br/6GREencD

http://digitalmaster.online/rgzce1W5g

http://patatec.com/OTfcXmew

http://megasoftsol.com/R26csFnDY

http://authentification.scanandrace.com/m1xwraBcBFN

http://new.actsgeneration.org/1vXSPxRR3bR

http://lagochapala.com.mx/DplUgNSqWfc

http://acdlimited.com/2u6aW9Pfe

http://jornaldasoficinas.com/ZF8GKIGVDupL

http://orldofjain.com/lMsTA7tSYpe

Attributes
  • blocklist

    94.46.179.80

    206.189.205.251

    88.242.66.45

    85.75.110.214

    87.104.3.136

    207.244.91.171

    49.230.88.160

    91.149.252.75

    91.149.252.88

    92.211.109.152

    178.0.250.168

    88.69.16.230

    95.223.77.160

    99.234.62.23

    2.206.105.223

    84.222.8.201

    89.183.239.142

    5.146.132.101

    77.7.60.154

    45.41.106.122

    45.74.72.13

    74.58.152.123

    88.87.68.197

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

    74.125.210.62

    74.125.210.36

    104.244.74.57

    185.220.101.145

    185.220.101.144

    185.220.101.18

    185.220.100.246

    185.220.101.228

    185.220.100.243

    185.220.101.229

    185.220.101.147

    185.220.102.250

    185.220.100.241

    199.195.251.84

    213.164.204.94

    74.125.213.7

    74.125.213.9

    185.220.100.249

    37.71.173.58

    93.2.220.100

    188.10.191.109

    81.36.17.247

    70.28.47.118

    45.133.172.222

    108.41.227.196

    37.235.53.46

    162.216.47.22

    154.3.42.51

    45.86.200.60

    212.230.181.152

    185.192.70.11

    37.142.65.69

    87.166.51.31

    178.198.76.175

    128.90.172.136

    172.58.227.224

    201.77.112.133

    64.124.12.162

    87.166.51.28

    104.244.72.115

    109.70.100.23

    192.145.127.220

    194.186.142.122

    185.207.249.217

    52.250.42.144

    45.86.201.156

    195.245.199.125

    213.33.190.70

    154.61.71.13

    154.13.1.22

    191.96.185.151

    40.94.25.22

    40.94.25.39

    40.94.25.5

    40.94.25.79

    40.94.25.69

    40.94.25.71

    40.94.25.60

    40.94.25.64

    40.94.25.29

    40.94.25.23

    40.94.25.89

    40.94.26.165

    40.94.26.210

    40.94.26.208

    40.94.26.166

    40.94.26.216

    40.94.26.173

    40.94.26.182

    40.94.35.75

    40.94.35.97

    40.94.35.27

    40.94.35.38

    40.94.35.46

    40.94.35.76

    40.94.35.70

    40.94.35.80

    40.94.35.98

    40.94.35.40

    45.86.200.23

    198.167.212.98

    40.94.31.87

    40.94.31.85

    40.94.31.29

    40.94.31.97

    40.94.31.88

    40.94.31.80

    40.94.31.65

    198.167.195.112

    40.94.31.58

    40.94.31.48

    40.94.31.64

    40.94.31.26

    40.94.31.66

    40.94.31.90

    40.94.31.46

    40.94.31.47

    212.119.227.184

    72.12.194.93

    72.12.194.94

    72.12.194.92

    134.209.213.55

    35.198.84.59

    89.208.29.2

    40.94.30.159

    40.94.30.139

    40.94.30.152

    40.94.30.167

    40.94.30.164

    40.94.30.166

    40.94.30.174

    40.94.30.151

    154.61.71.53

    40.94.30.157

    40.94.30.136

    40.94.30.149

    52.154.162.74

    213.33.190.161

    83.84.25.214

    162.251.62.154

    188.241.177.152

    92.211.110.221

    185.183.107.236

    72.12.194.90

    40.94.25.36

    40.94.29.4

    40.94.25.50

    40.94.29.31

    40.94.25.31

    40.94.29.41

    40.94.31.5

    40.94.25.80

    40.94.29.82

    40.94.31.81

    40.94.25.96

    40.94.29.59

    40.94.31.3

    40.94.25.58

    40.94.31.61

    40.94.31.49

    40.94.31.54

    40.94.31.62

    40.94.31.70

    40.94.30.211

    40.94.30.148

    40.94.30.218

    40.94.30.147

    40.94.30.129

    40.94.31.15

    40.94.30.169

    40.94.31.36

    40.94.30.223

    40.94.30.203

    95.211.36.179

    64.233.172.102

    153.246.206.71

    198.167.193.35

    90.187.12.209

    37.49.116.179

    52.167.22.240

    160.177.96.15

    185.123.143.220

    167.99.172.253

    40.94.36.81

    86.107.21.203

    24.37.31.38

    71.19.154.84

    192.160.102.170

    216.251.130.74

    49.44.76.43

    109.147.65.157

    86.217.130.91

    178.174.15.54

    86.242.244.97

    92.46.70.105

    81.201.234.26

    78.94.217.60

    141.226.236.91

    95.26.228.102

    89.208.29.3

    213.33.190.205

    213.33.190.121

    5.154.174.45

    23.154.177.3

    195.65.152.138

    93.231.174.227

    185.220.101.132

    54.36.101.21

    72.12.194.91

    46.14.116.174

    141.19.232.57

    185.220.101.149

    45.74.46.69

    157.230.210.133

    82.199.130.36

    104.237.193.28

    187.46.138.56

    195.164.49.162

    156.146.49.135

    195.164.49.191

    79.104.209.54

    35.245.134.90

    20.52.139.186

    189.139.144.151

    94.31.102.187

    39.43.45.71

    107.189.10.143

    39.43.123.57

    106.75.76.179

    194.186.142.131

    210.22.129.194

    45.130.83.77

    154.6.16.175

    162.247.73.192

    107.189.1.160

    185.107.47.215

    46.166.139.111

    185.56.80.65

    185.220.100.245

    209.141.59.180

    77.247.181.163

    185.220.101.137

    185.220.100.242

    104.244.76.13

    185.83.214.69

    185.220.100.252

    185.112.146.73

    185.57.82.28

    89.187.171.116

    66.220.242.222

    39.43.72.17

    5.171.90.80

    185.152.32.77

    23.129.64.157

    92.151.9.187

    106.75.31.237

    122.167.79.251

    109.70.100.33

    199.249.230.154

    64.233.172.108

    64.233.172.106

    64.233.172.104

    77.247.181.165

    107.189.12.240

    79.142.76.203

    193.128.114.34

    185.92.26.59

    185.65.210.119

    70.39.159.79

    70.39.159.29

    151.48.26.15

    151.48.26.15

    2.228.159.178

    188.174.248.154

    188.174.248.154

    95.90.198.182

    95.90.198.182

    193.0.200.36

    193.0.200.36

    151.127.13.232

    89.97.249.158

    212.115.152.225

    185.217.117.179

    199.249.230.164

    80.233.134.134

    109.74.154.92

    65.39.88.250

    90.84.192.187

    37.70.202.24

    85.203.45.30

    109.190.93.219

    151.8.114.194

    176.235.38.106

    149.56.99.85

    138.128.136.169

    213.82.23.224

    192.42.123.107

    128.90.151.188

    162.245.206.249

    85.203.45.40

    95.211.95.242

    185.220.102.251

    66.203.112.160

    193.128.108.246

    193.128.108.242

    31.204.150.74

    34.141.245.25

    122.167.85.191

    212.6.86.133

    171.25.193.25

    149.3.170.147

    162.247.74.217

    109.70.100.34

    89.208.29.5

    79.104.209.91

    79.104.209.157

    194.186.142.205

    198.167.217.20

    198.167.193.112

    204.101.161.31

    198.167.219.82

    195.74.76.222

    87.118.110.27

    185.247.225.43

    193.128.108.250

    188.212.135.7

    106.75.75.245

    86.142.177.106

    185.192.69.77

    198.167.209.37

    59.144.163.235

    193.128.108.243

    31.204.152.150

    87.166.49.39

    82.127.202.176

    58.40.175.6

    92.222.212.17

    88.123.105.51

    45.114.130.4

    216.251.130.75

    187.22.129.46

    187.22.129.46

    45.153.160.129

    80.155.50.158

    80.155.50.158

    212.234.209.161

    213.9.159.210

    88.149.207.35

    88.149.207.35

    88.149.207.35

    37.159.148.162

    151.8.6.86

    91.62.233.251

    109.3.219.42

    109.3.219.42

    109.3.219.42

    196.23.168.132

    192.87.28.103

    207.244.70.35

    79.104.209.172

    89.208.29.6

    195.239.51.18

    79.104.209.52

    194.154.78.73

    185.220.102.240

    109.70.100.27

    208.68.5.17

    185.191.124.143

    45.153.160.130

    163.172.213.212

    193.128.108.245

    51.83.131.42

    109.62.69.3

    109.62.69.3

    147.135.68.11

    209.58.188.133

    193.128.108.253

    94.242.243.171

    185.183.106.148

    185.220.102.248

    109.70.100.20

    37.58.58.249

    69.167.10.41

    109.62.69.2

    45.141.56.7

    104.244.74.55

    193.128.108.247

    185.31.175.243

    45.61.185.125

    185.57.82.27

    122.182.203.3

    82.221.105.78

    37.187.196.70

    45.153.160.138

    89.163.252.12

    193.128.108.252

    198.167.199.100

    198.167.199.106

    70.39.116.252

    193.128.108.248

    188.43.68.132

    79.104.209.46

    213.33.190.122

    95.25.38.53

    80.255.7.72

    212.119.227.132

    212.119.227.169

    194.186.142.52

    38.132.118.67

    37.120.143.139

    193.128.108.249

    66.249.88.48

    66.249.88.50

    66.249.88.46

    104.244.74.28

    198.96.155.3

    205.185.124.200

    109.70.100.36

    193.189.100.202

    185.31.175.215

    84.147.60.16

    45.242.1.134

    5.22.190.138

    84.147.62.235

    89.208.29.7

    194.154.78.130

    106.75.66.75

    185.217.1.11

    103.254.153.204

    198.167.201.23

    185.31.175.231

    23.184.48.9

    18.27.197.252

    107.189.11.153

    128.199.56.132

    104.248.166.43

    192.145.127.221

    185.100.87.202

    94.46.179.80

    206.189.205.251

    178.255.172.194

    84.221.205.40

    155.138.242.103

    178.212.98.156

    85.65.32.191

    31.167.184.201

    88.242.66.45

    36.65.102.42

    203.213.127.79

    85.75.110.214

    93.78.214.187

    204.152.81.185

    183.171.72.218

    168.194.101.130

    87.104.3.136

    92.211.196.33

    197.92.140.125

    207.244.91.171

    49.230.88.160

    196.74.16.153

    91.149.252.75

    91.149.252.88

    92.206.15.202

    82.21.114.63

    92.211.109.152

    178.0.250.168

    178.203.145.135

    85.210.36.4

    199.83.207.72

    86.132.134.203

    88.69.16.230

    99.247.129.88

    37.201.195.12

    87.140.192.0

    88.152.185.188

    87.156.177.91

    99.229.57.160

    95.223.77.160

    88.130.54.214

    99.234.62.23

    2.206.105.223

    94.134.179.130

    84.221.255.199

    84.222.8.201

    89.183.239.142

    87.158.21.26

    93.206.148.216

    5.146.132.101

    77.7.60.154

    95.223.75.85

    162.254.173.187

    50.99.254.163

    45.41.106.122

    99.237.13.3

    45.74.72.13

    108.171.64.202

    74.58.152.123

    216.209.253.121

    88.87.68.197

    211.107.25.121

    109.70.100.25

    185.67.82.114

    207.102.138.19

    204.101.161.14

    193.128.108.251

    111.7.100.17

    111.7.100.16

    74.125.210.62

    74.125.210.36

    104.244.74.57

    185.220.101.145

    185.220.101.144

    185.220.101.18

    185.220.100.246

    185.220.101.228

    185.220.100.243

    185.220.101.229

    185.220.101.147

    185.220.102.250

    185.220.100.241

    199.195.251.84

    213.164.204.94

    74.125.213.7

    74.125.213.9

    177.38.183.13

    185.220.100.249

    85.55.1.73

    85.55.1.73

    37.71.173.58

    82.65.34.224

    93.2.220.100

    188.10.191.109

    24.100.23.115

    81.36.17.247

    90.161.75.4

    213.194.157.212

    117.211.140.154

Extracted

Family

qakbot

Version

402.343

Botnet

tr

Campaign

1632730751

C2

95.77.223.148:443

47.22.148.6:443

89.101.97.139:443

27.223.92.142:995

120.151.47.189:443

136.232.34.70:443

120.150.218.241:995

185.250.148.74:443

181.118.183.94:443

140.82.49.12:443

67.165.206.193:993

103.148.120.144:443

71.74.12.34:443

76.25.142.196:443

73.151.236.31:443

173.21.10.71:2222

75.188.35.168:443

2.178.88.145:61202

71.80.168.245:443

45.46.53.140:2222

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.318

Botnet

obama101

Campaign

1632228858

C2

47.22.148.6:443

24.55.112.61:443

140.82.49.12:443

24.139.72.117:443

136.232.34.70:443

24.229.150.54:995

71.74.12.34:443

73.151.236.31:443

120.150.218.241:995

105.198.236.99:443

76.25.142.196:443

45.46.53.140:2222

144.139.47.206:443

96.37.113.36:993

173.21.10.71:2222

67.165.206.193:993

189.210.115.207:443

109.12.111.14:443

68.204.7.158:443

95.77.223.148:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1632817399

C2

105.198.236.99:443

140.82.49.12:443

37.210.152.224:995

89.101.97.139:443

81.241.252.59:2078

27.223.92.142:995

81.250.153.227:2222

73.151.236.31:443

47.22.148.6:443

122.11.220.212:2222

120.151.47.189:443

199.27.127.129:443

216.201.162.158:443

136.232.34.70:443

76.25.142.196:443

181.118.183.94:443

120.150.218.241:995

185.250.148.74:443

95.77.223.148:443

75.66.88.33:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633943125

C2

140.82.49.12:443

89.137.52.44:443

24.107.165.50:443

66.216.193.114:443

75.131.217.182:443

41.86.42.158:995

24.119.214.7:443

67.166.233.75:443

105.198.236.99:443

120.151.47.189:443

2.222.167.138:443

41.228.22.180:443

78.105.213.151:995

5.193.125.67:995

41.86.42.158:443

96.57.188.174:2078

120.150.218.241:995

66.177.215.152:0

122.11.220.212:2222

73.52.50.32:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.318

Botnet

obama102

Campaign

1632302707

C2

120.150.218.241:995

47.22.148.6:443

105.198.236.99:443

95.77.223.148:443

140.82.49.12:443

27.223.92.142:995

73.151.236.31:443

136.232.34.70:443

144.139.47.206:443

45.46.53.140:2222

76.25.142.196:443

173.21.10.71:2222

75.188.35.168:443

71.74.12.34:443

96.37.113.36:993

67.165.206.193:993

189.210.115.207:443

72.252.201.69:443

24.139.72.117:443

24.229.150.54:995

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Extracted

Family

qakbot

Version

402.363

Botnet

tr

Campaign

1633597816

C2

120.150.218.241:995

185.250.148.74:443

89.137.52.44:443

66.103.170.104:2222

86.8.177.143:443

216.201.162.158:443

174.54.193.186:443

103.148.120.144:443

188.50.169.158:443

124.123.42.115:2222

140.82.49.12:443

199.27.127.129:443

81.241.252.59:2078

209.142.97.161:995

209.50.20.255:443

73.230.205.91:443

200.232.214.222:995

103.142.10.177:443

2.222.167.138:443

41.228.22.180:443

Attributes
  • salt

    jHxastDcds)oMc=jvh7wdUhxcsdt2

Targets

    • Target

      029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39

    • Size

      288KB

    • MD5

      6baeb5a0cd83e3a9878dc4d6d7a5509c

    • SHA1

      93e655f671e4485473f0803787097e1f6a48a64c

    • SHA256

      029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39

    • SHA512

      dacd268b6bfad43f6c800a4c133b2e9d59477b77a93018d4c1c1cbf7086d5cdb400073bcc06a55a88fa80dd49d4e214332695ef9ed2ff6ea323c26441c8531b8

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52

    • Size

      605KB

    • MD5

      b166029cc6b11b16e9d29b22db5398df

    • SHA1

      899238df1e045ed91034fc589e32ea9d19d0c09b

    • SHA256

      061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52

    • SHA512

      aea6569743fc4d3d6180e93018e7a8184e4f657cc6807652840a48d9f269f534dc15072e94e27f28f40e6cedd65a0ecc4408db274b2a48854da38578ab500616

    • Target

      06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2

    • Size

      676KB

    • MD5

      dd119e4cab8169c27e5bb65f306ed792

    • SHA1

      a93b6b76b8427caa20f2c041fbf50ba27d2b6aac

    • SHA256

      06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2

    • SHA512

      74f86cab700fe211152ce8b74166156c4feebc71c9f5907fafafca531b2f47af7e9d4d52409411e488e6dd4109e4823b915ff7129d7b2f9a416dde765a3a18cb

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Windows security bypass

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365

    • Size

      488KB

    • MD5

      8c778eded8caf98e71730b164b805e1b

    • SHA1

      8f2180d092ac3b623d2372cb01eaccde0f5e402c

    • SHA256

      24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365

    • SHA512

      666aa5d99be4efa4a3a9c9021a116d8484e05120224c463b66246bf99f0d925a37b54c8e6902b7c7d8c7929c6748cc2ca45801525346de5bcef205a6fac33b18

    Score
    3/10
    • Target

      260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840

    • Size

      1.0MB

    • MD5

      10c150a949585ba3603cce27707331f0

    • SHA1

      9eeb1747902951835245545b7b3b1e6408c708c2

    • SHA256

      260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840

    • SHA512

      668ea267488635b88ef6a929501f8f6b34a02ccb2fa01a311caf89f5c683f0dd6877d8714ddf8b6b24e7a447c40f2cf5c42698638a52ff7b27e6c47ce4f4578b

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Windows security bypass

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618

    • Size

      518KB

    • MD5

      c9b2167e784286fcf1835c0d9ba0eade

    • SHA1

      8035bf4ada5abdffa9a7566c965b3caf897f3fed

    • SHA256

      26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618

    • SHA512

      aef1eaadf55f3a49182588d348e985775960eec11e2240ca874cc5b502b1825ab61f29edbc72b9e8b6d9e68713325ef8c3a5a21606603e477a6bc09b7b841138

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

    • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

      suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    • Squirrelwaffle Payload

    • Blocklisted process makes network request

    • Target

      2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a

    • Size

      506KB

    • MD5

      803768a34f7e59b8a9a2f3969624c47e

    • SHA1

      09a38940ef023929897fdc9c996de0b0f39116e2

    • SHA256

      2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a

    • SHA512

      21e4aa621360a4ec4a0c73fad494e133f2584f92d058a72772e390c7bf1e1ad3e4d0778e95b590c663fe5efed3cfbecb08d5e78e1216c1bfbef729062806722f

    Score
    3/10
    • Target

      2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894

    • Size

      172KB

    • MD5

      2c55997f5febc79d8aec77991f178138

    • SHA1

      9d6d02ba0d021b6cdbf1fb8f594ebab3214325da

    • SHA256

      2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894

    • SHA512

      099ad760edaf05a1b180f451c48762627bfc374c8ed2e1ff8969d18787a366495b3576cf7f3724c932d52fa34897e4ee57b7824df9c11d6f6784ec310ee40820

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da

    • Size

      833KB

    • MD5

      97406f2cee93cdb660848c99e6d291e6

    • SHA1

      17aa4ce85e931fdf383b864144a3c1b6e68f91e2

    • SHA256

      336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da

    • SHA512

      4884d65111c7da44832d30eb0cd7bcee9aceb6de24a610eb0709960d1276ad963214b8c620b14960a43319b0d77da7af3f622a5d6f1d36f31190ac2c641be4ef

    • Target

      417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473

    • Size

      359KB

    • MD5

      4f18fd01d6afd232553fbbf602b2a4e2

    • SHA1

      e50a8e3bfb891dc723f5c7fc2276055102d0a097

    • SHA256

      417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473

    • SHA512

      750493256643799b3de954298874f6df1d87bf6fd3afa259689af2ba9159374f274937490be6159650237a74778e5565e4f9d4e5e359f9e71cc1c5fd385b4dd3

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE BazaLoader Activity (GET)

      suricata: ET MALWARE BazaLoader Activity (GET)

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Suspicious use of SetThreadContext

    • Target

      4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee

    • Size

      488KB

    • MD5

      7f0b9d11c95a65e9e9f87b2341bb01ad

    • SHA1

      93abbf5758c39672d69502690b5e4003a47f9e72

    • SHA256

      4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee

    • SHA512

      eb81b291a55ab91dfaef4a64661b2325c594890ebbcb71b00d5029275c1b7ec43880d85737fceba3c0de1cd20ed94ffa7a9112424c3ef25fd0e21e586a329648

    • Target

      54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c

    • Size

      398KB

    • MD5

      36e57cea07affea16fa5921d348021dc

    • SHA1

      822d62e274e51516318fea9a12a0c6237d964782

    • SHA256

      54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c

    • SHA512

      3bfd989132682eaf3a14f143a7d93e00ba3a2d35ead9cffd5aeb394e8d9040b679191094e0ab1c1393aa22cc2a20e59b9c0ca88bc661793ab2b02fdb92d90c54

    Score
    1/10
    • Target

      6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b

    • Size

      235KB

    • MD5

      8e37795097400f6a609525749d154cd0

    • SHA1

      8e1502c2aa56e6a8c7c1d2c75f3946332a5bb8c0

    • SHA256

      6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b

    • SHA512

      c7453b8f50e557a5990ac3708931845eeb6dc2992cd907d5534733524f523226d8d013be6e09bb2b5210f6f5ad2303625f8998a5111d3b0925bb4228b6c9152a

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

    • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

      suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    • Squirrelwaffle Payload

    • Blocklisted process makes network request

    • Target

      64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb

    • Size

      439KB

    • MD5

      22aef4558853a72dd07ff9513a6b9dbf

    • SHA1

      52a914b43dfa44910ab649be77a57db631d038ee

    • SHA256

      64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb

    • SHA512

      550f72f4d6186869893b2dc6536b3ce9bcb7843b0db726a1d9fb118291b1e96d642dfb57369b85ff58c41b38d6c40f6853d1da752f589aa419cb1f4d35381be4

    • Target

      671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e

    • Size

      334KB

    • MD5

      84a32095bcbc0ed694f09f1dd8f2a70f

    • SHA1

      23f7334db6979f04d5a2a9a846f82c526bfe6736

    • SHA256

      671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e

    • SHA512

      e3db14700e24210d1e2f1c19fcbb1b7074d73f5cdc4cbaf737b9a92a4f3b8d9b71efaa450aac9f7f4baef1ca8463f0668a3d72b888e0d39195e4c6115de5012a

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

    • suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

      suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

      suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    • suricata: ET MALWARE SQUIRRELWAFFLE Server Response

      suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    • Squirrelwaffle Payload

    • Blocklisted process makes network request

    • Target

      67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce

    • Size

      1.4MB

    • MD5

      c00e0c5f7cf5ca5a1ecaf2f52cb0fe3f

    • SHA1

      943f28aaad96f667c5afc9480f14f06701b6faf1

    • SHA256

      67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce

    • SHA512

      685b3472e5a9f11fa21bc21b4c213256aaa23ed12db109ceb410f018df4e24114628ae9c6088d43e438d8f756f18dcad83797ee39562eb17c0131f1aa4133078

    Score
    3/10
    • Target

      6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb

    • Size

      172KB

    • MD5

      f943853cddc15b59823962b28f08b809

    • SHA1

      3e46675756a6f0dc722c620f3bc12610fe27c010

    • SHA256

      6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb

    • SHA512

      1a524916b6af5b071e2d4e533fb302b062383c2edb941a7a6e3d9e92897b2e7f612aa444eeff8c4de6499421f3823d54efa9b375b22c0fe6d301ff1bcb632985

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd

    • Size

      471KB

    • MD5

      687550f98527483a1c49ab185a2105ea

    • SHA1

      42d0db4cdc64e1fc2e57025f031f285cf0ba45a3

    • SHA256

      6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd

    • SHA512

      2b92d4cb037c0a6dd6855819d8e44ec036bc3fac71d7c2ee537bb6dfe907888b69b97958ebaa7b102e473f76ce6d1811ce090fb1e7ab38c18d2b1c6098403fc5

    • Target

      813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48

    • Size

      316KB

    • MD5

      2e81d980351ef546bde5459decd02b63

    • SHA1

      2166e54daf42356b61a6c07754aa8d7a1f085109

    • SHA256

      813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48

    • SHA512

      40c9916efd82a11e1c4afe64b0109b11de8e323c43ac43fdc21203c32d4c04c2f808e5688f281a20f8d05985cca7e6aed3db0f6ddd89241480a1f553a8da1009

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

    • suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

      suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

      suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    • suricata: ET MALWARE SQUIRRELWAFFLE Server Response

      suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    • Squirrelwaffle Payload

    • Blocklisted process makes network request

    • Target

      839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3

    • Size

      1.1MB

    • MD5

      2eb9fcc198e5adc902797ad4cf6b44d6

    • SHA1

      4e3451336ed44af410fdd4fa91316f80fc695fb2

    • SHA256

      839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3

    • SHA512

      2cac97e753a35a328a273f72eeec97cc143c0c245d0a59dbac8cffb06f7862ee723c54428d11366b3cabc5673751893ce85d62bdb531e6fdc32676c10c1b9104

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Windows security bypass

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939

    • Size

      316KB

    • MD5

      5ec89ea30af2cc38ae183d12ffacbcf7

    • SHA1

      bee82e104c1082442c7ff029b2781a04a3e80cd5

    • SHA256

      85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939

    • SHA512

      7e25703e68ec87d1da4b8d5f2bfe4e1e09b6bd88bb3e662b82cda77496badd5c6c1b3685ade9c4d4a100fb43972d3356bb22c7089a4edc2e1c174aa3fbf639cf

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

    • suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

      suricata: ET MALWARE Possible SQUIRRELWAFFLE Server Response

    • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

      suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    • suricata: ET MALWARE SQUIRRELWAFFLE Server Response

      suricata: ET MALWARE SQUIRRELWAFFLE Server Response

    • Squirrelwaffle Payload

    • Blocklisted process makes network request

    • Target

      a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4

    • Size

      833KB

    • MD5

      5f00035c9fb5b740abaee795979b82ed

    • SHA1

      6c980a4d7cc1461645acd4c763a86b9c4e896707

    • SHA256

      a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4

    • SHA512

      92f917f67ae59140909c9e6f42821c6b6396ad10e8a51b3bdfcdb86051d0967c95fe5886ae67be6cfbeef970ea8a75e6ec3f5aa56661334e6de843ed353dd46f

    • Target

      a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360

    • Size

      172KB

    • MD5

      7a70755b8388c0bc73c7cdc557150dca

    • SHA1

      8ed83eeadcda38d92ab079a7b8483cbdb8cc3ac1

    • SHA256

      a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360

    • SHA512

      a9347e82c9cb77be18841badf0fccece9a860a48fa17ad3ad410120cc6bd6fa585758c9071c4627d22b8a49eee615032cc4448cfb1860be87b3ea77311e5616f

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48

    • Size

      539KB

    • MD5

      767d96c69b79aaee30d86f0e6de31f66

    • SHA1

      491f958fe118bf0bcc5f4d33d3fc1b9933202300

    • SHA256

      a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48

    • SHA512

      60b53ff68d2042c709ba7f6113962d2f0fd13b6fdb28ab91a57f0a0bdcf8628bd94d8f1b283ca6f74e8ecd1154bdb0b9fbbffb051dc180a8758d01b8ce5a12f5

    • Target

      acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27

    • Size

      611KB

    • MD5

      650393a4720518176d8bc503cf686cf6

    • SHA1

      ea2a8f0aab617f00a532a68a91ee96be427ce372

    • SHA256

      acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27

    • SHA512

      5b889d3c5a918f8c5f971ecb3a2ff5518974250ad7ddbc536b596933fd81ba90db5cb63fc9be7d70b94257de45980ff3979d1eb9cb5ff8868d699c5bfa8f2f37

    • Target

      b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7

    • Size

      448KB

    • MD5

      879628efe6fb566fc83cb019a4d90f5d

    • SHA1

      b4eb4da4ed99f50c0e02b12c23b2ea65dceed706

    • SHA256

      b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7

    • SHA512

      4c5ec0815de1112bc633afb96f50f03bc9506246ce1e4bc6aa8c5b6690941339b16a26f33f7999ba02dc5c460f846da51b4ed2a8f041a68c4bc8991fe2cd8a1c

    • Qakbot/Qbot

      Qbot or Qakbot is a sophisticated worm with banking capabilities.

    • Windows security bypass

    • Loads dropped DLL

    • Drops file in System32 directory

    • Target

      bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00

    • Size

      605KB

    • MD5

      603a1d8b3f20334204e552072eadabd1

    • SHA1

      995aa3f702a7925f18c7febef2289358f7bbf788

    • SHA256

      bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00

    • SHA512

      1f8378f17ad8de55ec445c9301730a34b235b4b04381dc1146c2950c3475c7d7b0250ac6ac5182bf9c4efd9e3c94a85035757f61625ae34f4640aa64e8f2cdaa

    • Target

      c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c

    • Size

      359KB

    • MD5

      b2c85051f93825721307c34cd0f0cb34

    • SHA1

      ca3a01d833dafaef66c2614dc3039f9c2a376229

    • SHA256

      c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c

    • SHA512

      490a972e0bcbb88011829e0834c2f2dc163c91d9f078755413dd88eb48580f8adb37b7fdc20264f2e642c58e07ff2f7503f47ec05c152839d31954b22e869377

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE BazaLoader Activity (GET)

      suricata: ET MALWARE BazaLoader Activity (GET)

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Suspicious use of SetThreadContext

    • Target

      d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e

    • Size

      115KB

    • MD5

      c20d92be3da1b2e4ac470f0b34d60b83

    • SHA1

      cb17bf7e2bee12261930baa304d8f73417a283d8

    • SHA256

      d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e

    • SHA512

      1fee9d1825fc6b71f6830f0d9451f49b993a14f0b1ec79c18beb3d897b2a390df2a69f7076ca9d97760f9495d126d803fd6991692e4eeab250fe391bd5e6e626

    Score
    1/10
    • Target

      db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479

    • Size

      172KB

    • MD5

      6feafb5aa21e924e2a7dfc0cb87653e6

    • SHA1

      eae7d011f43747b9a67b115733dc906dcbf976e7

    • SHA256

      db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479

    • SHA512

      b21704bc4b06eed4d3468d144f90132af87af031dd9f6ad3ac771f75d9b02227eecbac79a53079955bbd9ea3a050d14a52af5829a50eaec745b7c617c16bc1a1

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    • Target

      e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815

    • Size

      518KB

    • MD5

      3e809308f937a1252c9d4975dd21f47f

    • SHA1

      ae9e57fac6310a27e31ebc1e67d0cf6b206d455a

    • SHA256

      e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815

    • SHA512

      d0312291cb56bdce01ba3067520bf22daa69814f7dc9812d87fb54f20a60f639d05af8cc7db9c7f10d4451386044cb941303f6c9dbc274ac08922d9bd30a0906

    • SquirrelWaffle is a simple downloader written in C++.

      SquirrelWaffle.

    • suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

      suricata: ET MALWARE SQUIRRELWAFFLE Loader Activity (POST)

    • Squirrelwaffle Payload

    • Blocklisted process makes network request

    • Target

      fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c

    • Size

      172KB

    • MD5

      a3d0c939bd3ecb8d11bd06c2bd15f45e

    • SHA1

      b7fcdacc3507ed2f84752068fb0039c600003536

    • SHA256

      fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c

    • SHA512

      40a6bf12a8aedf563ae762249b8d5c44c39a1002ec581f07f1ff0f5b91dd6dfe6badadd71ae15efa608e129e5b3389390bf62d40dca9fddca2e04bd37e045f52

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

      suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

8
T1053

Persistence

Scheduled Task

8
T1053

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Scheduled Task

8
T1053

Defense Evasion

Disabling Security Tools

5
T1089

Modify Registry

8
T1112

Tasks

static1

Score
N/A

behavioral1

bazarbackdoorbazarloaderbackdoordropperloadersuricata
Score
10/10

behavioral2

qakbotnotset1632819510bankerstealertrojan
Score
10/10

behavioral3

qakbottr1633597626bankerevasionstealertrojan
Score
10/10

behavioral4

Score
3/10

behavioral5

qakbottr1633334141bankerevasionstealertrojan
Score
10/10

behavioral6

squirrelwaffledownloadersuricata
Score
10/10

behavioral7

Score
3/10

behavioral8

bazarbackdoorbazarloaderbackdoordropperloadersuricata
Score
10/10

behavioral9

qakbottr1632730751bankerpersistencestealertrojan
Score
10/10

behavioral10

bazarloaderdropperloadersuricata
Score
10/10

behavioral11

qakbotobama1011632228858bankerstealertrojan
Score
10/10

behavioral12

Score
1/10

behavioral13

squirrelwaffledownloadersuricata
Score
10/10

behavioral14

squirrelwaffledownloader
Score
10/10

behavioral15

squirrelwaffledownloadersuricata
Score
10/10

behavioral16

Score
3/10

behavioral17

bazarbackdoorbazarloaderbackdoordropperloadersuricata
Score
10/10

behavioral18

qakbottr1632817399bankerpersistencestealertrojan
Score
10/10

behavioral19

squirrelwaffledownloadersuricata
Score
10/10

behavioral20

qakbottr1633943125bankerevasionstealertrojan
Score
10/10

behavioral21

squirrelwaffledownloadersuricata
Score
10/10

behavioral22

qakbottr1633597626bankerevasionpersistencestealertrojan
Score
10/10

behavioral23

bazarbackdoorbazarloaderbackdoordropperloadersuricata
Score
10/10

behavioral24

qakbotobama1021632302707bankerstealertrojan
Score
10/10

behavioral25

qakbottr1633597816bankerstealertrojan
Score
10/10

behavioral26

qakbottr1632817399bankerevasionstealertrojan
Score
10/10

behavioral27

qakbotnotset1632819510bankerstealertrojan
Score
10/10

behavioral28

bazarloaderdropperloadersuricata
Score
10/10

behavioral29

Score
1/10

behavioral30

bazarbackdoorbazarloaderbackdoordropperloadersuricata
Score
10/10

behavioral31

squirrelwaffledownloadersuricata
Score
10/10

behavioral32

bazarbackdoorbazarloaderbackdoordropperloadersuricata
Score
10/10