Analysis
-
max time kernel
402s -
max time network
405s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
30/11/2021, 02:47
Static task
static1
Behavioral task
behavioral1
Sample
run.bat
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
run.bat
Resource
win10-en-20211104
Behavioral task
behavioral3
Sample
grandpa.mpeg.dll
Resource
win7-en-20211014
Behavioral task
behavioral4
Sample
grandpa.mpeg.dll
Resource
win10-en-20211104
General
-
Target
run.bat
-
Size
30B
-
MD5
8f1bc18c9374d4e61900a4a131ac144a
-
SHA1
9cca879179dfabfb8d1350d02bdb2f097e47cd42
-
SHA256
78346a5edff4fa34210349541e7227c54358373586959c31b8e9cd490e5358f4
-
SHA512
00cbe82b5336e6061f1ad402d5cce6db24acf6083e5cae8c4a39da32e680d170ce919eab2078af11697578792404e1216dcc90c5a59d3f56f9a79492b090295b
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
resource yara_rule behavioral2/memory/492-119-0x000001D0FA4F0000-0x000001D0FA51E000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 27 IoCs
flow pid Process 27 492 rundll32.exe 28 492 rundll32.exe 29 492 rundll32.exe 31 492 rundll32.exe 32 492 rundll32.exe 33 492 rundll32.exe 34 492 rundll32.exe 35 492 rundll32.exe 36 492 rundll32.exe 37 492 rundll32.exe 38 492 rundll32.exe 39 492 rundll32.exe 40 492 rundll32.exe 41 492 rundll32.exe 42 492 rundll32.exe 43 492 rundll32.exe 44 492 rundll32.exe 45 492 rundll32.exe 46 492 rundll32.exe 47 492 rundll32.exe 48 492 rundll32.exe 49 492 rundll32.exe 50 492 rundll32.exe 51 492 rundll32.exe 52 492 rundll32.exe 53 492 rundll32.exe 54 492 rundll32.exe -
Tries to connect to .bazar domain 12 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
flow ioc 46 reddew28c.bazar 47 bluehail.bazar 48 whitestorm9p.bazar 53 ysylxyvu.bazar 33 bluehail.bazar 39 reddew28c.bazar 40 bluehail.bazar 41 whitestorm9p.bazar 49 ikqoxyiz.bazar 51 yqudekpi.bazar 32 reddew28c.bazar 34 whitestorm9p.bazar -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1012 wrote to memory of 492 1012 cmd.exe 70 PID 1012 wrote to memory of 492 1012 cmd.exe 70