Overview
overview
10Static
static
029b714502...39.dll
windows10_x64
10061dfb6a25...52.dll
windows10_x64
1006d55f75d7...d2.dll
windows10_x64
1024401ac43b...65.dll
windows10_x64
3260e2d5769...40.dll
windows10_x64
1026cd036960...18.dll
windows10_x64
102a0a88a2e5...4a.dll
windows10_x64
32f33217d51...94.dll
windows10_x64
10336cdd146b...da.dll
windows10_x64
10417c1828d9...73.dll
windows10_x64
104d3095c796...ee.dll
windows10_x64
1054e526fe05...4c.dll
windows10_x64
16402b33d72...3b.dll
windows10_x64
1064c044cb3e...db.dll
windows10_x64
10671f477c30...4e.dll
windows10_x64
1067785724b6...ce.dll
windows10_x64
36c6934613a...fb.dll
windows10_x64
106f63742c25...fd.dll
windows10_x64
10813a9b03c6...48.dll
windows10_x64
10839ac59a78...e3.dll
windows10_x64
1085d0b72fe8...39.dll
windows10_x64
10a34cb4049e...c4.dll
windows10_x64
10a55c19c552...60.dll
windows10_x64
10a98e988f03...48.dll
windows10_x64
10acc31f97c3...27.dll
windows10_x64
10b194eec1e5...c7.dll
windows10_x64
10bac73f9cce...00.dll
windows10_x64
10c5d2f0da18...0c.dll
windows10_x64
10d559ee0a26...7e.dll
windows10_x64
1db5276c0d5...79.dll
windows10_x64
10e5efde9740...15.dll
windows10_x64
10fe028e6f99...1c.dll
windows10_x64
10Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3874s -
max time network
3881s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
31-10-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral2
Sample
061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral3
Sample
06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral4
Sample
24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral5
Sample
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral6
Sample
26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral7
Sample
2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral8
Sample
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral9
Sample
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral10
Sample
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral11
Sample
4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral12
Sample
54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral13
Sample
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral14
Sample
64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral15
Sample
671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral16
Sample
67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral17
Sample
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral18
Sample
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral19
Sample
813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral20
Sample
839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral21
Sample
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral22
Sample
a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral23
Sample
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral24
Sample
a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral25
Sample
acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral26
Sample
b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral27
Sample
bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral28
Sample
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral29
Sample
d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral30
Sample
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral31
Sample
e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral32
Sample
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll
Resource
win10-en-20211014
windows10_x64
General
-
Target
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll
-
Size
172KB
-
MD5
a3d0c939bd3ecb8d11bd06c2bd15f45e
-
SHA1
b7fcdacc3507ed2f84752068fb0039c600003536
-
SHA256
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c
-
SHA512
40a6bf12a8aedf563ae762249b8d5c44c39a1002ec581f07f1ff0f5b91dd6dfe6badadd71ae15efa608e129e5b3389390bf62d40dca9fddca2e04bd37e045f52
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
resource yara_rule behavioral32/memory/3176-121-0x00007FF622FB5EC0-mapping.dmp BazarBackdoorVar4 behavioral32/memory/3176-120-0x00007FF622F90000-0x00007FF622FDC000-memory.dmp BazarBackdoorVar4 behavioral32/memory/3176-122-0x00007FF622F90000-0x00007FF622FDC000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 3 IoCs
resource yara_rule behavioral32/memory/3136-118-0x0000000002860000-0x000000000298C000-memory.dmp BazarLoaderVar6 behavioral32/memory/360-119-0x000002209CEC0000-0x000002209CFEC000-memory.dmp BazarLoaderVar6 behavioral32/memory/3268-125-0x000001EA95290000-0x000001EA953BC000-memory.dmp BazarLoaderVar6 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 513 etibuhed.bazar 755 ufsoidom.bazar 810 aqibwyyw.bazar 855 exacuhem.bazar 618 ucewekem.bazar 179 huwyidem.bazar 232 tuomeked.bazar 339 ehqeided.bazar 515 tuqeidom.bazar 537 tuuhwyem.bazar 583 aqudwyom.bazar 739 tueluhyw.bazar 835 exuhidom.bazar 201 vueduhed.bazar 302 ydacuhed.bazar 337 ufibidem.bazar 495 tuedeked.bazar 573 izsoided.bazar 499 fusouhyw.bazar 629 biedidom.bazar 667 tywywyom.bazar 153 ydewuhom.bazar 167 tysoidem.bazar 268 ufewwyyw.bazar 386 tuekwyyw.bazar 438 owedidom.bazar 692 tycaekem.bazar 124 tuedwyyw.bazar 241 agqewyed.bazar 418 exedidem.bazar 479 biemidem.bazar 635 vuacwyed.bazar 137 agcuwyyw.bazar 298 fuonwyem.bazar 454 liwywyyw.bazar 593 izuhuhom.bazar 612 agsoekom.bazar 673 aqemidom.bazar 693 ucibuhom.bazar 134 agewuhyw.bazar 265 vuacuhyw.bazar 405 etelidyw.bazar 419 huqewyom.bazar 563 biidekem.bazar 850 aqqeuhom.bazar 917 owomidyw.bazar 222 vuqewyom.bazar 424 ufacwyem.bazar 607 biibeked.bazar 816 huuhidyw.bazar 196 ydywidyw.bazar 276 fucaidom.bazar 589 vuqewyem.bazar 623 liywekyw.bazar 763 fuewidyw.bazar 380 etemwyem.bazar 512 uccaekom.bazar 767 aqidekom.bazar 171 iqekekom.bazar 172 biewuhed.bazar 269 iztoidem.bazar 272 uciduhem.bazar 338 ucedwyom.bazar 768 owywuhed.bazar -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 47 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 HTTP URL 78 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3136 set thread context of 3176 3136 regsvr32.exe 72 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3136 regsvr32.exe 3136 regsvr32.exe 3136 regsvr32.exe 3136 regsvr32.exe 3136 regsvr32.exe 3136 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72 PID 3136 wrote to memory of 3176 3136 regsvr32.exe 72
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵PID:3176
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll,DllRegisterServer {3D966DB7-3A12-47F8-A946-86754A29F1D1}1⤵PID:360
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll,DllRegisterServer {3D966DB7-3A12-47F8-A946-86754A29F1D1}1⤵PID:3268