Analysis
-
max time kernel
397s -
max time network
406s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
30/11/2021, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
run.bat
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
run.bat
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
grandpa.mpeg.dll
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
grandpa.mpeg.dll
Resource
win10-en-20211104
General
-
Target
run.bat
-
Size
30B
-
MD5
8f1bc18c9374d4e61900a4a131ac144a
-
SHA1
9cca879179dfabfb8d1350d02bdb2f097e47cd42
-
SHA256
78346a5edff4fa34210349541e7227c54358373586959c31b8e9cd490e5358f4
-
SHA512
00cbe82b5336e6061f1ad402d5cce6db24acf6083e5cae8c4a39da32e680d170ce919eab2078af11697578792404e1216dcc90c5a59d3f56f9a79492b090295b
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral1/memory/524-56-0x00000000003B0000-0x00000000003DE000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 14 IoCs
flow pid Process 4 524 rundll32.exe 5 524 rundll32.exe 6 524 rundll32.exe 7 524 rundll32.exe 8 524 rundll32.exe 9 524 rundll32.exe 11 524 rundll32.exe 12 524 rundll32.exe 13 524 rundll32.exe 14 524 rundll32.exe 15 524 rundll32.exe 16 524 rundll32.exe 17 524 rundll32.exe 18 524 rundll32.exe -
Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 13 reddew28c.bazar 14 bluehail.bazar 15 whitestorm9p.bazar -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 752 wrote to memory of 524 752 cmd.exe 28 PID 752 wrote to memory of 524 752 cmd.exe 28 PID 752 wrote to memory of 524 752 cmd.exe 28