anchordns | 5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399 | Triage

Submit
Reports

Overview

overview

Static

static

5739549850...99.exe

windows7_x64

5739549850...99.exe

windows10_x64

Sharing

General

Target

5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399
Size

390KB
Sample

220128-1a675aedd3
MD5

14f60998a77261a97c719b05e246716b
SHA1

3ed09498214d93c9ec14a15286546d242ad58943
SHA256

5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399
SHA512

cbc039535a2ac2cb3398436098db7b008f03899cc765d397dc2a478a37742e3e542b15f8c1f27705a6d4b823eb72457bc2b5b5a1c763f592eb7b6724f0fba200

Score

10^/10

anchordns backdoor persistence

Static task

static1

backdoor anchordns

Behavioral task

behavioral1

Sample

5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399.exe

Resource

win7-en-20211208

anchordns backdoor persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399.exe

Resource

win10-en-20211208

anchordns backdoor persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399
- Size
  
  390KB
- MD5
  
  14f60998a77261a97c719b05e246716b
- SHA1
  
  3ed09498214d93c9ec14a15286546d242ad58943
- SHA256
  
  5739549850fe635fc0ac5de81ce1fd495669fcabc1b8ede35b82a22093c86399
- SHA512
  
  cbc039535a2ac2cb3398436098db7b008f03899cc765d397dc2a478a37742e3e542b15f8c1f27705a6d4b823eb72457bc2b5b5a1c763f592eb7b6724f0fba200
Score

10^/10

anchordns backdoor persistence
- AnchorDNS Backdoor
  A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
  backdoor anchordns
- Detected AnchorDNS Backdoor
  Sample triggered yara rules associated with the AnchorDNS malware family.
  backdoor
- Sets DLL path for service in the registry
  persistence
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Deletes itself
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

backdooranchordns

behavioral1

anchordnsbackdoorpersistence

behavioral2

anchordnsbackdoorpersistence

© 2018-2025

Terms | Privacy