anchordns | 2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775 | Triage

Submit
Reports

Overview

overview

Static

static

2c446cad1e...75.exe

windows7_x64

2c446cad1e...75.exe

windows10_x64

Sharing

General

Target

2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775
Size

481KB
Sample

220128-vxl8kshdh5
MD5

5d83bd79bc681fb123e9c4078437b48f
SHA1

fa98074dc18ad7e2d357b5d168c00a91256d87d1
SHA256

2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775
SHA512

933919fea47ff5102564f6597f1ed277e699cdd746835a0039fa531e50b8fbb18532626a6900b5c18e88d15d2f6173f41c3b2d8ccf9109802aaf27a502ab0dc6

Score

10^/10

anchordns backdoor persistence

Static task

static1

backdoor anchordns

Behavioral task

behavioral1

Sample

2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775.exe

Resource

win7-en-20211208

anchordns backdoor persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775.exe

Resource

win10-en-20211208

anchordns backdoor persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775
- Size
  
  481KB
- MD5
  
  5d83bd79bc681fb123e9c4078437b48f
- SHA1
  
  fa98074dc18ad7e2d357b5d168c00a91256d87d1
- SHA256
  
  2c446cad1e15d82521022281b81f905867e33e9ae33c3e7e4959972d40230775
- SHA512
  
  933919fea47ff5102564f6597f1ed277e699cdd746835a0039fa531e50b8fbb18532626a6900b5c18e88d15d2f6173f41c3b2d8ccf9109802aaf27a502ab0dc6
Score

10^/10

anchordns backdoor persistence
- AnchorDNS Backdoor
  A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
  backdoor anchordns
- Detected AnchorDNS Backdoor
  Sample triggered yara rules associated with the AnchorDNS malware family.
  backdoor
- Sets DLL path for service in the registry
  persistence
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Deletes itself
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

backdooranchordns

behavioral1

anchordnsbackdoorpersistence

behavioral2

anchordnsbackdoorpersistence

© 2018-2025

Terms | Privacy