anchordns | 0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b | Triage

Submit
Reports

Overview

overview

Static

static

0e1d5d8916...0b.exe

windows7_x64

0e1d5d8916...0b.exe

windows10_x64

Sharing

General

Target

0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b
Size

481KB
Sample

220128-wjy6nahggn
MD5

300ebc9b82049ce2f97a7669e8d71247
SHA1

dd3421cf241ec2058167122ce6af0184fb1666ce
SHA256

0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b
SHA512

f5252183760db2a9d7c2a70fd1c8858fbf1218ae394ce863fd5045632598f2aabe0bc27b958b7a5771b09a532b0cf811b64aafdffee9219bd0b27ce255e0009a

Score

10^/10

anchordns backdoor persistence suricata

Static task

static1

backdoor anchordns

Behavioral task

behavioral1

Sample

0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b.exe

Resource

win7-en-20211208

anchordns backdoor persistence suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b.exe

Resource

win10-en-20211208

anchordns backdoor persistence suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b
- Size
  
  481KB
- MD5
  
  300ebc9b82049ce2f97a7669e8d71247
- SHA1
  
  dd3421cf241ec2058167122ce6af0184fb1666ce
- SHA256
  
  0e1d5d891662f275badff2f98e24600d36db462bd30f84fba71ebf67142b460b
- SHA512
  
  f5252183760db2a9d7c2a70fd1c8858fbf1218ae394ce863fd5045632598f2aabe0bc27b958b7a5771b09a532b0cf811b64aafdffee9219bd0b27ce255e0009a
Score

10^/10

anchordns backdoor persistence suricata
- AnchorDNS Backdoor
  A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
  backdoor anchordns
- Detected AnchorDNS Backdoor
  Sample triggered yara rules associated with the AnchorDNS malware family.
  backdoor
- suricata: ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check
  suricata: ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check
  suricata
- Sets DLL path for service in the registry
  persistence
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Deletes itself
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

backdooranchordns

behavioral1

anchordnsbackdoorpersistencesuricata

behavioral2

anchordnsbackdoorpersistencesuricata

© 2018-2025

Terms | Privacy