Overview
overview
10Static
static
029b714502...39.dll
windows10_x64
10061dfb6a25...52.dll
windows10_x64
1006d55f75d7...d2.dll
windows10_x64
1024401ac43b...65.dll
windows10_x64
3260e2d5769...40.dll
windows10_x64
1026cd036960...18.dll
windows10_x64
102a0a88a2e5...4a.dll
windows10_x64
32f33217d51...94.dll
windows10_x64
10336cdd146b...da.dll
windows10_x64
10417c1828d9...73.dll
windows10_x64
104d3095c796...ee.dll
windows10_x64
1054e526fe05...4c.dll
windows10_x64
16402b33d72...3b.dll
windows10_x64
1064c044cb3e...db.dll
windows10_x64
10671f477c30...4e.dll
windows10_x64
1067785724b6...ce.dll
windows10_x64
36c6934613a...fb.dll
windows10_x64
106f63742c25...fd.dll
windows10_x64
10813a9b03c6...48.dll
windows10_x64
10839ac59a78...e3.dll
windows10_x64
1085d0b72fe8...39.dll
windows10_x64
10a34cb4049e...c4.dll
windows10_x64
10a55c19c552...60.dll
windows10_x64
10a98e988f03...48.dll
windows10_x64
10acc31f97c3...27.dll
windows10_x64
10b194eec1e5...c7.dll
windows10_x64
10bac73f9cce...00.dll
windows10_x64
10c5d2f0da18...0c.dll
windows10_x64
10d559ee0a26...7e.dll
windows10_x64
1db5276c0d5...79.dll
windows10_x64
10e5efde9740...15.dll
windows10_x64
10fe028e6f99...1c.dll
windows10_x64
10Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3810s -
max time network
3824s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
31-10-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral2
Sample
061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral3
Sample
06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral4
Sample
24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral5
Sample
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral6
Sample
26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral7
Sample
2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral8
Sample
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral9
Sample
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral10
Sample
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral11
Sample
4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral12
Sample
54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral13
Sample
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral14
Sample
64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral15
Sample
671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral16
Sample
67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral17
Sample
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral18
Sample
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral19
Sample
813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral20
Sample
839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral21
Sample
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral22
Sample
a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral23
Sample
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral24
Sample
a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral25
Sample
acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral26
Sample
b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral27
Sample
bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral28
Sample
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral29
Sample
d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral30
Sample
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral31
Sample
e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral32
Sample
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll
Resource
win10-en-20211014
windows10_x64
General
-
Target
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll
-
Size
172KB
-
MD5
7a70755b8388c0bc73c7cdc557150dca
-
SHA1
8ed83eeadcda38d92ab079a7b8483cbdb8cc3ac1
-
SHA256
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360
-
SHA512
a9347e82c9cb77be18841badf0fccece9a860a48fa17ad3ad410120cc6bd6fa585758c9071c4627d22b8a49eee615032cc4448cfb1860be87b3ea77311e5616f
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
resource yara_rule behavioral23/memory/348-120-0x00007FF7496B0000-0x00007FF7496FC000-memory.dmp BazarBackdoorVar4 behavioral23/memory/348-121-0x00007FF7496D5EC0-mapping.dmp BazarBackdoorVar4 behavioral23/memory/348-122-0x00007FF7496B0000-0x00007FF7496FC000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 3 IoCs
resource yara_rule behavioral23/memory/2800-118-0x00000000022E0000-0x000000000240C000-memory.dmp BazarLoaderVar6 behavioral23/memory/1916-119-0x00000200FEA50000-0x00000200FEB7C000-memory.dmp BazarLoaderVar6 behavioral23/memory/1276-125-0x0000022F83EC0000-0x0000022F83FEC000-memory.dmp BazarLoaderVar6 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 168 fuacided.bazar 190 aqomekyw.bazar 156 agidided.bazar 93 exacuhed.bazar 142 etibidyw.bazar 147 tusouhed.bazar 151 biekekyw.bazar 200 yponidem.bazar 85 aqsouhyw.bazar 120 ufudided.bazar 133 agewuhyw.bazar 182 ucemwyem.bazar 228 ufelidom.bazar 60 aqsouhyw.bazar 179 vuibekyw.bazar 219 excauhom.bazar 236 ehcuidyw.bazar 175 agywuhom.bazar 138 izywwyed.bazar 152 ydewuhom.bazar 201 ufemwyed.bazar 212 tutouhyw.bazar 223 huonided.bazar 124 tuedwyyw.bazar 150 iqelwyed.bazar 166 tysoidem.bazar 211 liewided.bazar 233 tuomeked.bazar 237 ehcuidyw.bazar 122 ehcaekem.bazar 141 uccaeked.bazar 154 exomidem.bazar 155 ydcuwyom.bazar 164 uconuhom.bazar 165 ehemeked.bazar 206 ucelidyw.bazar 222 vuqewyom.bazar 83 bluehail.bazar 162 etedwyed.bazar 173 owomidom.bazar 186 eheluhom.bazar 225 vusoekom.bazar 135 huomuhed.bazar 230 ehewekyw.bazar 209 liewided.bazar 195 exwyided.bazar 205 tyaceked.bazar 231 tytouhom.bazar 167 tuuhwyom.bazar 187 liekwyyw.bazar 196 hucauhyw.bazar 199 izqewyyw.bazar 125 fuqeidem.bazar 160 ufcawyem.bazar 121 ucwyuhyw.bazar 161 izibidom.bazar 227 etacwyyw.bazar 157 vuywuhem.bazar 127 iqemekyw.bazar 136 agcuwyyw.bazar 153 owtoeked.bazar 184 tyuhuhyw.bazar 207 ehekwyem.bazar 224 ypemuhyw.bazar -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 48 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 HTTP URL 79 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2800 set thread context of 348 2800 regsvr32.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2800 regsvr32.exe 2800 regsvr32.exe 2800 regsvr32.exe 2800 regsvr32.exe 2800 regsvr32.exe 2800 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72 PID 2800 wrote to memory of 348 2800 regsvr32.exe 72
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵PID:348
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll,DllRegisterServer {B0B5A78B-43C7-4364-A2EC-974A10311EAC}1⤵PID:1916
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll,DllRegisterServer {B0B5A78B-43C7-4364-A2EC-974A10311EAC}1⤵PID:1276