bazarbackdoor | 9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2

Target

029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
Size

288KB
MD5

6baeb5a0cd83e3a9878dc4d6d7a5509c
SHA1

93e655f671e4485473f0803787097e1f6a48a64c
SHA256

029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39
SHA512

dacd268b6bfad43f6c800a4c133b2e9d59477b77a93018d4c1c1cbf7086d5cdb400073bcc06a55a88fa80dd49d4e214332695ef9ed2ff6ea323c26441c8531b8

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader suricata

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Bazar/Team9 Backdoor payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/620-120-0x00007FF6565B0000-0x00007FF656602000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/620-121-0x00007FF6565D5B00-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/620-124-0x00007FF6565B0000-0x00007FF656602000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1648-118-0x0000000002060000-0x000000000213C000-memory.dmp	BazarLoaderVar6
behavioral1/memory/672-119-0x000001EE3CBE0000-0x000001EE3CCBC000-memory.dmp	BazarLoaderVar6
behavioral1/memory/3312-126-0x0000018B35020000-0x0000018B350FC000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
289	owekygvi.bazar
768	amtoavvi.bazar
1040	esomavvi.bazar
397	ormewyom.bazar
798	owavygvi.bazar
1141	iqevavvi.bazar
996	iqsowyom.bazar
1091	amavavyw.bazar
1166	wesowyre.bazar
1346	amevwyre.bazar
154	etsoygom.bazar
390	wewawyre.bazar
569	piyrygre.bazar
900	seewygre.bazar
927	muudwyom.bazar
945	tuudavyw.bazar
196	piekwyvi.bazar
534	exevavre.bazar
694	owygekyw.bazar
812	tuviekom.bazar
1203	sereygvi.bazar
373	exviygre.bazar
496	owomygre.bazar
658	amwaygyw.bazar
1016	iqavekre.bazar
138	seeravre.bazar
622	wereygom.bazar
807	etywekvi.bazar
893	amrewyre.bazar
1257	uvevwyre.bazar
1350	pionavom.bazar
1356	ulewavvi.bazar
491	mumeygom.bazar
678	izevwyyw.bazar
705	amsoygom.bazar
809	piwywyom.bazar
860	wetoekvi.bazar
1045	izevekvi.bazar
1051	pisoavvi.bazar
1226	tuavekvi.bazar
73	reddew28c.bazar
325	weewygyw.bazar
1315	weavekvi.bazar
691	iqtowyyw.bazar
820	esekygre.bazar
934	uvreavyw.bazar
202	iqywygvi.bazar
251	uvekygyw.bazar
181	muomekre.bazar
265	wereygvi.bazar
557	uzyzwyom.bazar
633	amywwyre.bazar
660	zeyzygom.bazar
695	exywavom.bazar
131	etviwyvi.bazar
140	ulewavvi.bazar
1220	izwaavvi.bazar
1113	etekwyre.bazar
1204	tusoavyw.bazar
1209	iqerwyyw.bazar
473	wemeygre.bazar
784	izewekvi.bazar
239	zeywekom.bazar
253	uzywavre.bazar

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description	flow	ioc
HTTP URL	42	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	50	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	70	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	1287	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	1394	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 1648 set thread context of 620 1648 regsvr32.exe svchost.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

regsvr32.exe

pid process

1648 regsvr32.exe
1648 regsvr32.exe
1648 regsvr32.exe
1648 regsvr32.exe
1648 regsvr32.exe
1648 regsvr32.exe

description	pid	process	target process
PID 1648 set thread context of 620	1648	regsvr32.exe	svchost.exe

pid	process
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe
PID 1648 wrote to memory of 620	1648	regsvr32.exe	svchost.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup
2⤵
PID:620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll,StartW {A047C2EB-823A-4085-8024-CFC47A789586}
1⤵
PID:672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll,StartW {A047C2EB-823A-4085-8024-CFC47A789586}
1⤵
PID:3312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\58CO2Y0O\geoip[1].txt
MD5
fcf7e62382da288f5971f617eece6f63

SHA1
70476a6d0b989eb141a61e307db78900aef566c4

SHA256
d8d3030fa6918815bb8fc92b060a41b0ab50ab6438bb7f887a3aa345a5e5f163

SHA512
ceb24d2fd6b739433e74aae622ff79992fb85550f8aad4a974a8894cfe71ecbeebd728105bc8f133fe65c38015be28a7cf8734f7c4305531409d293a83a17bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HBPS4WXS\html[1].htm
MD5
448594fc3a9997ce42ccd69bdcf6dbb6

SHA1
f694d5745d89d95282832724d9c9c4aaddc2605e

SHA256
f20931e6108493a67cb20a1ca0b266f5c8c96509aa644f9d3f3d31f90c41240e

SHA512
4915ae2285e358e8cabcf1a13130b2140b9f1022005e9601cfbc2865c83c68d2a27c371a90203c178708272dca3356f11a4742e7fef133bb24c318f51c47268f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\QT2UOKDP\html[1].htm
MD5
4f8e702cc244ec5d4de32740c0ecbd97

SHA1
3adb1f02d5b6054de0046e367c1d687b6cdf7aff

SHA256
9e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a

SHA512
21047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f

Download Submit
memory/620-120-0x00007FF6565B0000-0x00007FF656602000-memory.dmp

Filesize
328KB

Download
memory/620-121-0x00007FF6565D5B00-mapping.dmp

Download
memory/620-124-0x00007FF6565B0000-0x00007FF656602000-memory.dmp

Filesize
328KB

Download
memory/672-119-0x000001EE3CBE0000-0x000001EE3CCBC000-memory.dmp

Filesize
880KB

Download
memory/1648-118-0x0000000002060000-0x000000000213C000-memory.dmp

Filesize
880KB

Download
memory/3312-126-0x0000018B35020000-0x0000018B350FC000-memory.dmp

Filesize
880KB

Download