General

  • Target

    fa938c8e0833e3d8a642ab29cb8ecfde8d1ef574837d41a7e4a7c1676ec91531

  • Size

    1.7MB

  • Sample

    220119-16xzbsdfcj

  • MD5

    c29a9e09451389facd0961601a531605

  • SHA1

    129c8b45205e56810e34505aa1f3aff3d0021bbe

  • SHA256

    fa938c8e0833e3d8a642ab29cb8ecfde8d1ef574837d41a7e4a7c1676ec91531

  • SHA512

    c656bc2107993b36a2ce9bef0d67cdaee1b9d8573770d9033705fe6fff14c6d93915024bcc7fda1006283f7b6ae65a32244e294abc3a3c0a5e0d497fb4a1458b

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      fa938c8e0833e3d8a642ab29cb8ecfde8d1ef574837d41a7e4a7c1676ec91531

    • Size

      1.7MB

    • MD5

      c29a9e09451389facd0961601a531605

    • SHA1

      129c8b45205e56810e34505aa1f3aff3d0021bbe

    • SHA256

      fa938c8e0833e3d8a642ab29cb8ecfde8d1ef574837d41a7e4a7c1676ec91531

    • SHA512

      c656bc2107993b36a2ce9bef0d67cdaee1b9d8573770d9033705fe6fff14c6d93915024bcc7fda1006283f7b6ae65a32244e294abc3a3c0a5e0d497fb4a1458b

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Sets service image path in registry

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks