bazarbackdoor | 8081638587d1ad2cb3e79705c8c370b5be3b0b8b4faaf0e9271714f90eb4370d | Triage

Submit
Reports

Overview

overview

Static

static

8

2022-2-4-2...21.xls

windows7_x64

2022-2-4-2...21.xls

windows10-2004_x64

Sharing

General

Target

2022-2-4-2ac627c145f9c76d3052d8d82db8fa21.bin
Size

142KB
Sample

220203-xxgdfadab6
MD5

2ac627c145f9c76d3052d8d82db8fa21
SHA1

623b905cf7c268147bc29ce4715fb98a3b58e7d7
SHA256

8081638587d1ad2cb3e79705c8c370b5be3b0b8b4faaf0e9271714f90eb4370d
SHA512

12d07b1946f3eccad7a59d55cd3d3c2a9802fddd62c7f6db272d51c31e62624f28e9d8d2170a6e7724ac67a7bfc2ecfc2b1f5469bf0546a9eca122f58130196e

Score

10^/10

bazarbackdoor backdoor macro macro_on_action persistence

Static task

static1

macro macro_on_action

Behavioral task

behavioral1

Sample

2022-2-4-2ac627c145f9c76d3052d8d82db8fa21.xls

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2022-2-4-2ac627c145f9c76d3052d8d82db8fa21.xls

Resource

win10v2004-en-20220112

bazarbackdoor backdoor persistence

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://goyaluat.vmesh.in/0v6kcny/CG/

exe.dropper

https://mars.srl/wp-admin/7Ffk6LLN2Xs2W/

exe.dropper

http://franmulero.es/mbx/8c5RBJx6/

exe.dropper

http://varafood.com/Ajax/cnM91G/

exe.dropper

https://7jcat.com/wp-content/t/

exe.dropper

http://blog.centralhome.hu/wp-content/pB1RfPCnBlS1WfpcOL/

exe.dropper

http://zimrights.co.zw/oldsite/k0EoCWycU9tNo1d/

exe.dropper

https://mudhands.com/error/BfH/

exe.dropper

http://albatrospatagonia.com/phkcvt/t53ceSMDqgPQlq/

exe.dropper

http://mapcommunications.co.zw/wp-admin/mdRRbSdU3aB7Xpx6z/

exe.dropper

http://odconsult.co.uk/ALFA_DATA/HHr0FqOXAn62/

exe.dropper

http://dushkin.net/img/bhQSTNicEMtNQxP/

Targets

- Target
  
  2022-2-4-2ac627c145f9c76d3052d8d82db8fa21.bin
- Size
  
  142KB
- MD5
  
  2ac627c145f9c76d3052d8d82db8fa21
- SHA1
  
  623b905cf7c268147bc29ce4715fb98a3b58e7d7
- SHA256
  
  8081638587d1ad2cb3e79705c8c370b5be3b0b8b4faaf0e9271714f90eb4370d
- SHA512
  
  12d07b1946f3eccad7a59d55cd3d3c2a9802fddd62c7f6db272d51c31e62624f28e9d8d2170a6e7724ac67a7bfc2ecfc2b1f5469bf0546a9eca122f58130196e
Score

10^/10

bazarbackdoor backdoor persistence
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Bazar/Team9 Backdoor payload
- Sets service image path in registry
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

macromacro_on_action

behavioral1

behavioral2

bazarbackdoorbackdoorpersistence

© 2018-2024

Terms | Privacy