anchordns | eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536 | Triage

Submit
Reports

Overview

overview

Static

static

eea37d92dc...36.exe

windows7_x64

eea37d92dc...36.exe

windows10_x64

Sharing

General

Target

eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536
Size

481KB
Sample

220128-z2hs6sdffq
MD5

b05dc02b630924cb951e5e999269a9e7
SHA1

49f6d0beca33af85e8a5ba64aa9e848ce250188b
SHA256

eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536
SHA512

2a2cf9bfa42fe91a1d3db533653f531625e43effb0f169567e411a435f6b1c0998a4329559648e5d864b7333cd8230abc8a5b39df91fa3309ac88dd6f0e3342c

Score

10^/10

anchordns backdoor persistence suricata

Static task

static1

backdoor anchordns

Behavioral task

behavioral1

Sample

eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536.exe

Resource

win7-en-20211208

anchordns backdoor persistence suricata

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536.exe

Resource

win10-en-20211208

anchordns backdoor persistence suricata

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536
- Size
  
  481KB
- MD5
  
  b05dc02b630924cb951e5e999269a9e7
- SHA1
  
  49f6d0beca33af85e8a5ba64aa9e848ce250188b
- SHA256
  
  eea37d92dc98bb28cdd5b999b8a9d9d598391d494a1984813d26322b8b857536
- SHA512
  
  2a2cf9bfa42fe91a1d3db533653f531625e43effb0f169567e411a435f6b1c0998a4329559648e5d864b7333cd8230abc8a5b39df91fa3309ac88dd6f0e3342c
Score

10^/10

anchordns backdoor persistence suricata
- AnchorDNS Backdoor
  A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.
  backdoor anchordns
- Detected AnchorDNS Backdoor
  Sample triggered yara rules associated with the AnchorDNS malware family.
  backdoor
- suricata: ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check
  suricata: ET MALWARE Win32/TrickBot Anchor Variant Style External IP Check
  suricata
- Sets DLL path for service in the registry
  persistence
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Deletes itself
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

backdooranchordns

behavioral1

anchordnsbackdoorpersistencesuricata

behavioral2

anchordnsbackdoorpersistencesuricata

© 2018-2025

Terms | Privacy