Overview

overview

10

Static

static

029b714502...39.dll

windows10_x64

10

061dfb6a25...52.dll

windows10_x64

10

06d55f75d7...d2.dll

windows10_x64

10

24401ac43b...65.dll

windows10_x64

3

260e2d5769...40.dll

windows10_x64

10

26cd036960...18.dll

windows10_x64

10

2a0a88a2e5...4a.dll

windows10_x64

3

2f33217d51...94.dll

windows10_x64

10

336cdd146b...da.dll

windows10_x64

10

417c1828d9...73.dll

windows10_x64

10

4d3095c796...ee.dll

windows10_x64

10

54e526fe05...4c.dll

windows10_x64

1

6402b33d72...3b.dll

windows10_x64

10

64c044cb3e...db.dll

windows10_x64

10

671f477c30...4e.dll

windows10_x64

10

67785724b6...ce.dll

windows10_x64

3

6c6934613a...fb.dll

windows10_x64

10

6f63742c25...fd.dll

windows10_x64

10

813a9b03c6...48.dll

windows10_x64

10

839ac59a78...e3.dll

windows10_x64

10

85d0b72fe8...39.dll

windows10_x64

10

a34cb4049e...c4.dll

windows10_x64

10

a55c19c552...60.dll

windows10_x64

10

a98e988f03...48.dll

windows10_x64

10

acc31f97c3...27.dll

windows10_x64

10

b194eec1e5...c7.dll

windows10_x64

10

bac73f9cce...00.dll

windows10_x64

10

c5d2f0da18...0c.dll

windows10_x64

10

d559ee0a26...7e.dll

windows10_x64

1

db5276c0d5...79.dll

windows10_x64

10

e5efde9740...15.dll

windows10_x64

10

fe028e6f99...1c.dll

windows10_x64

10

Resubmissions

01-11-2021 12:31

211101-pp5r3ahha4 10

31-10-2021 09:03

211031-k1bwxacfaq 10

14-10-2021 01:44

211014-b6aflafeg4 10

Analysis

  • max time kernel
    3889s
  • max time network
    3906s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    31-10-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll

  • Size

    172KB

  • MD5

    6feafb5aa21e924e2a7dfc0cb87653e6

  • SHA1

    eae7d011f43747b9a67b115733dc906dcbf976e7

  • SHA256

    db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479

  • SHA512

    b21704bc4b06eed4d3468d144f90132af87af031dd9f6ad3ac771f75d9b02227eecbac79a53079955bbd9ea3a050d14a52af5829a50eaec745b7c617c16bc1a1

Score
10/10
bazarbackdoorbazarloaderbackdoordropperloadersuricata

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor
  • suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

    suricata
  • Bazar/Team9 Backdoor payload 3 IoCs
  • Bazar/Team9 Loader payload 3 IoCs
  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1548
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup
      2⤵
        PID:1500
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll,DllRegisterServer {42B79409-7246-4C7C-9396-46C2A7E210D1}
      1⤵
        PID:4384
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll,DllRegisterServer {42B79409-7246-4C7C-9396-46C2A7E210D1}
        1⤵
          PID:2692

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1BA3P8U7\LNpcZiibJq[1]
          MD5

          2751f2b426fc0897b587cb4d9b5c9761

          SHA1

          ba59bdef1977427854b2698874f04ec47dcff9e1

          SHA256

          f68b79119ebfae039fc2586db3028f1bb8034399ce5f151b84f7e74375fe27b4

          SHA512

          a66aecde67390ef9ae46e12e8cb70a0d4579fd4c856f0d6cf4f82de13a425aa18dd064d9f70daacdcfaa45eaaddde37462270b7252b07cc6fc6f07e13587fd13

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BNAKBOQY\geoip[1].txt
          MD5

          2a42fadf693cc02ba332e2ebb94b1787

          SHA1

          9c85f092df98dba884aa206d20882b818450c79b

          SHA256

          c7ecbb6bd38c2c4cb9462e5f831b7557b6b07160a10ccd3e167ccbf2a2ec4690

          SHA512

          a031b9e999632d3b0c89203df35786379180ba6d07ace26b947569caf97a8e4951db3e16f36696e998329fa069b8316b3f78d3781195058ae1c7ec3dfc2c73de

          Download Submit

        • memory/1500-120-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1500-121-0x00007FF731C05EC0-mapping.dmp

          Download

        • memory/1500-122-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1548-118-0x0000000001F00000-0x000000000202C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2692-125-0x0000017DF9720000-0x0000017DF984C000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4384-119-0x000002C17BD90000-0x000002C17BEBC000-memory.dmp

          Filesize

          1.2MB

          Download