Overview
overview
10Static
static
029b714502...39.dll
windows10_x64
10061dfb6a25...52.dll
windows10_x64
1006d55f75d7...d2.dll
windows10_x64
1024401ac43b...65.dll
windows10_x64
3260e2d5769...40.dll
windows10_x64
1026cd036960...18.dll
windows10_x64
102a0a88a2e5...4a.dll
windows10_x64
32f33217d51...94.dll
windows10_x64
10336cdd146b...da.dll
windows10_x64
10417c1828d9...73.dll
windows10_x64
104d3095c796...ee.dll
windows10_x64
1054e526fe05...4c.dll
windows10_x64
16402b33d72...3b.dll
windows10_x64
1064c044cb3e...db.dll
windows10_x64
10671f477c30...4e.dll
windows10_x64
1067785724b6...ce.dll
windows10_x64
36c6934613a...fb.dll
windows10_x64
106f63742c25...fd.dll
windows10_x64
10813a9b03c6...48.dll
windows10_x64
10839ac59a78...e3.dll
windows10_x64
1085d0b72fe8...39.dll
windows10_x64
10a34cb4049e...c4.dll
windows10_x64
10a55c19c552...60.dll
windows10_x64
10a98e988f03...48.dll
windows10_x64
10acc31f97c3...27.dll
windows10_x64
10b194eec1e5...c7.dll
windows10_x64
10bac73f9cce...00.dll
windows10_x64
10c5d2f0da18...0c.dll
windows10_x64
10d559ee0a26...7e.dll
windows10_x64
1db5276c0d5...79.dll
windows10_x64
10e5efde9740...15.dll
windows10_x64
10fe028e6f99...1c.dll
windows10_x64
10Resubmissions
01-11-2021 12:31
211101-pp5r3ahha4 1031-10-2021 09:03
211031-k1bwxacfaq 1014-10-2021 01:44
211014-b6aflafeg4 10Analysis
-
max time kernel
3835s -
max time network
3849s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
31-10-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
029b714502283599a5efb86d41c48fd46751ab727b707bde620e517ec3aa3c39.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral2
Sample
061dfb6a251e536f700a295239652dafab34aee5e5145320d1d57e3fca5e5d52.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral3
Sample
06d55f75d7c76d6924c0b8439fa3cda28b89284204a6db982e4baf3a37fb35d2.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral4
Sample
24401ac43b6dbb7048cb27425b4f0f76a9b20b6b4fffa33ff8091c3c11ef8365.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral5
Sample
260e2d5769f0a50a7b49d4c43059221eb7acc4b9fc460763e0cfcd793f2a6840.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral6
Sample
26cd03696045fb93b415b022fa6bc832098394bf362f4b4c4e897e9550d12618.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral7
Sample
2a0a88a2e5f9cafa10a48d63bdfcdf965b72c25978ab46cf28e795dbedc9624a.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral8
Sample
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral9
Sample
336cdd146beca939c6d1e3e3c00cc10ec2d6e859a18d350bff937ad5194c27da.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral10
Sample
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral11
Sample
4d3095c7965c7bdd32b81b72c95f767134915cf08ebe1237721ed5208de4beee.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral12
Sample
54e526fe059a3f25cdaed954e32f44eadffb3e51548658409468dcf2d63b634c.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral13
Sample
6402b33d729c8bb44881747a8f397f4aec408bf5e18b9af6fd86cdfa3f96323b.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral14
Sample
64c044cb3ec26babdd17107b2aa6ded60b22473c4e2943e1fcc03df8bc2e0edb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral15
Sample
671f477c3039786c5f3553760377be03b91bfb66f31ba9370ed2193192cf5b4e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral16
Sample
67785724b67ecd79b7cd4c64a249794b9abda8b680fe52a0ce85bb83ddfb6cce.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral17
Sample
6c6934613abde41f82043bb7c269a1e614920a83a2b90eaf325ca7b998183efb.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral18
Sample
6f63742c25fd3a2dae5995f182254c253003066488ef86e754f661e8ba1d76fd.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral19
Sample
813a9b03c6c1caec4eca8a867dcfbda7860bca6a5d481acb4c131c1a868d4b48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral20
Sample
839ac59a78a0f2c446edb3cccbaf0bc5781605a1f848878f9e96cd5e0e425fe3.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral21
Sample
85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral22
Sample
a34cb4049eb43d455d8619607cc6e1a8c380e9d8507306e9c5bc17eaed6459c4.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral23
Sample
a55c19c552f579041ad7289aceeb400da215fe29aedbf0c14e8a66be1bee8360.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral24
Sample
a98e988f03fd5be37c66878017a3dcd741adf75bf1df1ed6dde2c15ee213bb48.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral25
Sample
acc31f97c3124a317f2939944777e103311f4b0c51788d2e562c24a08e2afe27.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral26
Sample
b194eec1e599feeadfd463b06727e8b3c73a72a4c20017e5cfaf89fbf6d365c7.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral27
Sample
bac73f9ccebf93009a6037145a9c71a2e8b916956f6a7e6a4f4b53b4b50b7a00.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral28
Sample
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral29
Sample
d559ee0a26fa500cd57fac25d58ba4319a794f329c8711e89afac3c281f9dd7e.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral30
Sample
db5276c0d5ecd3b338a98983001a5b8cbbf5b488bf420d8cc0267801b963f479.dll
Resource
win10-en-20211014
windows10_x64
Behavioral task
behavioral31
Sample
e5efde974017a12a573548f12b5473887601c897e8660eb57803c18523f72815.dll
Resource
win10-en-20210920
windows10_x64
Behavioral task
behavioral32
Sample
fe028e6f99a02a016643a2db14534fa977a78f45b36ff9db5b60e7e709f5541c.dll
Resource
win10-en-20211014
windows10_x64
General
-
Target
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll
-
Size
172KB
-
MD5
2c55997f5febc79d8aec77991f178138
-
SHA1
9d6d02ba0d021b6cdbf1fb8f594ebab3214325da
-
SHA256
2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894
-
SHA512
099ad760edaf05a1b180f451c48762627bfc374c8ed2e1ff8969d18787a366495b3576cf7f3724c932d52fa34897e4ee57b7824df9c11d6f6784ec310ee40820
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Bazar/Team9 Backdoor payload 3 IoCs
resource yara_rule behavioral8/memory/1588-120-0x00007FF73E190000-0x00007FF73E1DC000-memory.dmp BazarBackdoorVar4 behavioral8/memory/1588-121-0x00007FF73E1B5EC0-mapping.dmp BazarBackdoorVar4 behavioral8/memory/1588-122-0x00007FF73E190000-0x00007FF73E1DC000-memory.dmp BazarBackdoorVar4 -
Bazar/Team9 Loader payload 2 IoCs
resource yara_rule behavioral8/memory/2512-118-0x0000000002C70000-0x0000000002D9C000-memory.dmp BazarLoaderVar6 behavioral8/memory/3380-119-0x0000019E55580000-0x0000019E556AC000-memory.dmp BazarLoaderVar6 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 191 ypcawyom.bazar 198 ucemwyem.bazar 130 iqemekyw.bazar 162 vuywuhem.bazar 132 aquheked.bazar 146 tuqeided.bazar 168 tyqeekem.bazar 62 aqsouhyw.bazar 124 ehcaekem.bazar 159 ydcuwyom.bazar 166 izibidom.bazar 183 owomidom.bazar 184 bicuwyed.bazar 185 bicuwyed.bazar 192 ypcawyom.bazar 125 tyibuhed.bazar 128 fuqeidem.bazar 196 etqeekom.bazar 129 lionwyed.bazar 134 bielwyem.bazar 149 tusouhed.bazar 151 aqacidom.bazar 177 iqekekom.bazar 179 aqtowyem.bazar 85 bluehail.bazar 122 uccaeked.bazar 190 ypcawyom.bazar 154 ydewuhom.bazar 173 tysoidem.bazar 181 owomidom.bazar 59 reddew28c.bazar 144 etibidyw.bazar 142 ypudekyw.bazar 189 huwyidem.bazar 57 blackrain15.bazar 141 izywwyed.bazar 161 agidided.bazar 167 etedwyed.bazar 186 ydidekem.bazar 122 ufudided.bazar 156 exomidem.bazar 148 liemekom.bazar 157 exomidem.bazar 195 izeduhem.bazar 86 whitestorm9p.bazar 137 extoekom.bazar 99 ydelwyyw.bazar 115 ypomuhem.bazar 140 vuididom.bazar 153 biekekyw.bazar 175 fuacided.bazar 176 lieluhem.bazar 61 whitestorm9p.bazar 84 reddew28c.bazar 187 agywuhom.bazar 197 ufonidyw.bazar 127 fuqeidem.bazar 150 fuuhwyyw.bazar 158 ydcuwyom.bazar 200 etsoidom.bazar 95 exacuhed.bazar 126 tuedwyyw.bazar 172 ehemeked.bazar 188 exudwyyw.bazar -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
description flow ioc HTTP URL 50 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 HTTP URL 81 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2512 set thread context of 1588 2512 regsvr32.exe 73 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2512 regsvr32.exe 2512 regsvr32.exe 2512 regsvr32.exe 2512 regsvr32.exe 2512 regsvr32.exe 2512 regsvr32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73 PID 2512 wrote to memory of 1588 2512 regsvr32.exe 73
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup2⤵PID:1588
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f33217d51117cf3d6c6ed3ab50724964367fc7a85e1bb1dc87d241b8d953894.dll,DllRegisterServer {4CE979D1-AD57-4315-B874-DA81845159B9}1⤵PID:3380