bazarbackdoor | 9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2

Target

029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
Size

288KB
MD5

6baeb5a0cd83e3a9878dc4d6d7a5509c
SHA1

93e655f671e4485473f0803787097e1f6a48a64c
SHA256

029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39
SHA512

dacd268b6bfad43f6c800a4c133b2e9d59477b77a93018d4c1c1cbf7086d5cdb400073bcc06a55a88fa80dd49d4e214332695ef9ed2ff6ea323c26441c8531b8

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader suricata

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Bazar/Team9 Backdoor payload 3 IoCs

resource	yara_rule
behavioral1/memory/620-120-0x00007FF6565B0000-0x00007FF656602000-memory.dmp	BazarBackdoorVar4
behavioral1/memory/620-121-0x00007FF6565D5B00-mapping.dmp	BazarBackdoorVar4
behavioral1/memory/620-124-0x00007FF6565B0000-0x00007FF656602000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/1648-118-0x0000000002060000-0x000000000213C000-memory.dmp	BazarLoaderVar6
behavioral1/memory/672-119-0x000001EE3CBE0000-0x000001EE3CCBC000-memory.dmp	BazarLoaderVar6
behavioral1/memory/3312-126-0x0000018B35020000-0x0000018B350FC000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
289	owekygvi.bazar
768	amtoavvi.bazar
1040	esomavvi.bazar
397	ormewyom.bazar
798	owavygvi.bazar
1141	iqevavvi.bazar
996	iqsowyom.bazar
1091	amavavyw.bazar
1166	wesowyre.bazar
1346	amevwyre.bazar
154	etsoygom.bazar
390	wewawyre.bazar
569	piyrygre.bazar
900	seewygre.bazar
927	muudwyom.bazar
945	tuudavyw.bazar
196	piekwyvi.bazar
534	exevavre.bazar
694	owygekyw.bazar
812	tuviekom.bazar
1203	sereygvi.bazar
373	exviygre.bazar
496	owomygre.bazar
658	amwaygyw.bazar
1016	iqavekre.bazar
138	seeravre.bazar
622	wereygom.bazar
807	etywekvi.bazar
893	amrewyre.bazar
1257	uvevwyre.bazar
1350	pionavom.bazar
1356	ulewavvi.bazar
491	mumeygom.bazar
678	izevwyyw.bazar
705	amsoygom.bazar
809	piwywyom.bazar
860	wetoekvi.bazar
1045	izevekvi.bazar
1051	pisoavvi.bazar
1226	tuavekvi.bazar
73	reddew28c.bazar
325	weewygyw.bazar
1315	weavekvi.bazar
691	iqtowyyw.bazar
820	esekygre.bazar
934	uvreavyw.bazar
202	iqywygvi.bazar
251	uvekygyw.bazar
181	muomekre.bazar
265	wereygvi.bazar
557	uzyzwyom.bazar
633	amywwyre.bazar
660	zeyzygom.bazar
695	exywavom.bazar
131	etviwyvi.bazar
140	ulewavvi.bazar
1220	izwaavvi.bazar
1113	etekwyre.bazar
1204	tusoavyw.bazar
1209	iqerwyyw.bazar
473	wemeygre.bazar
784	izewekvi.bazar
239	zeywekom.bazar
253	uzywavre.bazar

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	42	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	50	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	70	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	1287	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	1394	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1648 set thread context of 620	1648	regsvr32.exe	73

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe
1648	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73
PID 1648 wrote to memory of 620	1648	regsvr32.exe	73

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  2⤵
  PID:620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll,StartW {A047C2EB-823A-4085-8024-CFC47A789586}
1⤵
PID:672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll,StartW {A047C2EB-823A-4085-8024-CFC47A789586}
1⤵
PID:3312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-120-0x00007FF6565B0000-0x00007FF656602000-memory.dmp

Filesize
328KB

Download
memory/620-124-0x00007FF6565B0000-0x00007FF656602000-memory.dmp

Filesize
328KB

Download
memory/672-119-0x000001EE3CBE0000-0x000001EE3CCBC000-memory.dmp

Filesize
880KB

Download
memory/1648-118-0x0000000002060000-0x000000000213C000-memory.dmp

Filesize
880KB

Download
memory/3312-126-0x0000018B35020000-0x0000018B350FC000-memory.dmp

Filesize
880KB

Download