Overview

overview

10

Static

static

029b714502...39.dll

windows10_x64

10

061dfb6a25...52.dll

windows10_x64

10

06d55f75d7...d2.dll

windows10_x64

10

24401ac43b...65.dll

windows10_x64

3

260e2d5769...40.dll

windows10_x64

10

26cd036960...18.dll

windows10_x64

10

2a0a88a2e5...4a.dll

windows10_x64

3

2f33217d51...94.dll

windows10_x64

10

336cdd146b...da.dll

windows10_x64

10

417c1828d9...73.dll

windows10_x64

10

4d3095c796...ee.dll

windows10_x64

10

54e526fe05...4c.dll

windows10_x64

1

6402b33d72...3b.dll

windows10_x64

10

64c044cb3e...db.dll

windows10_x64

10

671f477c30...4e.dll

windows10_x64

10

67785724b6...ce.dll

windows10_x64

3

6c6934613a...fb.dll

windows10_x64

10

6f63742c25...fd.dll

windows10_x64

10

813a9b03c6...48.dll

windows10_x64

10

839ac59a78...e3.dll

windows10_x64

10

85d0b72fe8...39.dll

windows10_x64

10

a34cb4049e...c4.dll

windows10_x64

10

a55c19c552...60.dll

windows10_x64

10

a98e988f03...48.dll

windows10_x64

10

acc31f97c3...27.dll

windows10_x64

10

b194eec1e5...c7.dll

windows10_x64

10

bac73f9cce...00.dll

windows10_x64

10

c5d2f0da18...0c.dll

windows10_x64

10

d559ee0a26...7e.dll

windows10_x64

1

db5276c0d5...79.dll

windows10_x64

10

e5efde9740...15.dll

windows10_x64

10

fe028e6f99...1c.dll

windows10_x64

10

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    3826s
  • max time network
    3844s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    31-10-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll

  • Size

    172KB

  • MD5

    f943853cddc15b59823962b28f08b809

  • SHA1

    3e46675756a6f0dc722c620f3bc12610fe27c010

  • SHA256

    6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb

  • SHA512

    1a524916b6af5b071e2d4e533fb302b062383c2edb941a7a6e3d9e92897b2e7f612aa444eeff8c4de6499421f3823d54efa9b375b22c0fe6d301ff1bcb632985

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloadersuricata

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata
  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 3 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      2⤵
        PID:1092
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll,DllRegisterServer {7E1BEB6D-F803-4A02-8AAD-6652C4AF37C6}
      1⤵
        PID:3628
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll,DllRegisterServer {7E1BEB6D-F803-4A02-8AAD-6652C4AF37C6}
        1⤵
          PID:1732

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1092-120-0x00007FF71D950000-0x00007FF71D99C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1092-122-0x00007FF71D950000-0x00007FF71D99C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1732-125-0x00000245F6F60000-0x00000245F708C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1992-118-0x00000000027C0000-0x00000000028EC000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3628-119-0x000002C090ED0000-0x000002C090FFC000-memory.dmp

          Filesize

          1.2MB

          Download