bazarbackdoor | 9c4807666747c9befea4427e5b9791193fdb105d53400639e8cc401d92463be2

Target

db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
Size

172KB
MD5

6feafb5aa21e924e2a7dfc0cb87653e6
SHA1

eae7d011f43747b9a67b115733dc906dcbf976e7
SHA256

db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479
SHA512

b21704bc4b06eed4d3468d144f90132af87af031dd9f6ad3ac771f75d9b02227eecbac79a53079955bbd9ea3a050d14a52af5829a50eaec745b7c617c16bc1a1

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader suricata

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Bazar/Team9 Backdoor payload 3 IoCs

resource	yara_rule
behavioral30/memory/1500-120-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmp	BazarBackdoorVar4
behavioral30/memory/1500-121-0x00007FF731C05EC0-mapping.dmp	BazarBackdoorVar4
behavioral30/memory/1500-122-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmp	BazarBackdoorVar4

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral30/memory/1548-118-0x0000000001F00000-0x000000000202C000-memory.dmp	BazarLoaderVar6
behavioral30/memory/4384-119-0x000002C17BD90000-0x000002C17BEBC000-memory.dmp	BazarLoaderVar6
behavioral30/memory/2692-125-0x0000017DF9720000-0x0000017DF984C000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
60	aqsouhyw.bazar
109	hutoekyw.bazar
140	ufwyuhom.bazar
211	tutouhyw.bazar
216	aqudwyed.bazar
234	tuomeked.bazar
259	liywekem.bazar
58	bluehail.bazar
144	tuqeided.bazar
167	tuuhwyom.bazar
184	ucemwyem.bazar
186	tyuhuhyw.bazar
193	iqcuuhem.bazar
262	fuwyeked.bazar
139	ypudekyw.bazar
163	tyqeekem.bazar
179	ypcawyom.bazar
197	exwyided.bazar
204	izsoekyw.bazar
206	etuhuhem.bazar
227	ufelidom.bazar
243	agqewyed.bazar
101	agekidem.bazar
152	ydewuhom.bazar
176	agywuhom.bazar
232	tuomeked.bazar
246	agsoeked.bazar
148	fuuhwyyw.bazar
248	izacwyom.bazar
252	ypelided.bazar
131	bielwyem.bazar
249	ypelided.bazar
57	reddew28c.bazar
120	ufudided.bazar
147	tusouhed.bazar
174	bicuwyed.bazar
187	tuacekem.bazar
241	biibwyyw.bazar
133	agewuhyw.bazar
154	exomidem.bazar
215	biywidem.bazar
238	fuuduhyw.bazar
251	ypelided.bazar
80	blackrain15.bazar
132	ydekided.bazar
164	uconuhom.bazar
165	ehemeked.bazar
194	biidekom.bazar
218	excauhom.bazar
257	uccuidom.bazar
93	exacuhed.bazar
113	ypomuhem.bazar
171	biewuhed.bazar
217	owwyekyw.bazar
236	liidwyom.bazar
159	ypwyuhed.bazar
190	iqewidem.bazar
235	ehcuidyw.bazar
53	blackrain15.bazar
118	izididyw.bazar
183	ufonidyw.bazar
200	vueduhed.bazar
237	iqywided.bazar
253	ufekuhem.bazar

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	48	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
HTTP URL	79	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1548 set thread context of 1500	1548	regsvr32.exe	72

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe
1548	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72
PID 1548 wrote to memory of 1500	1548	regsvr32.exe	72

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k UnistackSvcGroup
  2⤵
  PID:1500

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll,DllRegisterServer {42B79409-7246-4C7C-9396-46C2A7E210D1}
1⤵
PID:4384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll,DllRegisterServer {42B79409-7246-4C7C-9396-46C2A7E210D1}
1⤵
PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-120-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmp

Filesize
304KB

Download
memory/1500-122-0x00007FF731BE0000-0x00007FF731C2C000-memory.dmp

Filesize
304KB

Download
memory/1548-118-0x0000000001F00000-0x000000000202C000-memory.dmp

Filesize
1.2MB

Download
memory/2692-125-0x0000017DF9720000-0x0000017DF984C000-memory.dmp

Filesize
1.2MB

Download
memory/4384-119-0x000002C17BD90000-0x000002C17BEBC000-memory.dmp

Filesize
1.2MB

Download