bazarbackdoor | a2ec27dec7addbe9aa3ce2551fd5ccda03d19af869133217fe0ef0dd0f2d6c7c

Sharing

Copy URL

Twitter E-mail

General

Target

a2ec27dec7addbe9aa3ce2551fd5ccda03d19af869133217fe0ef0dd0f2d6c7c
Size

229KB
MD5

d55ec134a3046f289d9ebfdba1e98775
SHA1

530f3a7f892b949d4025418ba35d881ab4a364d4
SHA256

a2ec27dec7addbe9aa3ce2551fd5ccda03d19af869133217fe0ef0dd0f2d6c7c
SHA512

d1d58bb8b247db9161f3178165fad5e96944bf4cabef0139a7d86ab43747a69f76620f423644934d5096209e6c11f62d04daef16b37c55d2dd32b654f99336f5
SSDEEP

3072:ES1I30Xj5tecyG/lQV8V5kjetAXqRoGFr32oNAOHxNLCfwCmAD/umpbXzvvNyIu:ES630XacyGNQV8L2dkLCIADHbhD

Score

10^/10

bazarbackdoor

Malware Config

Signatures

Bazar/Team9 Backdoor payload 1 IoCs

Processes:

resource yara_rule

sample BazarBackdoorVar2
Bazarbackdoor family
bazarbackdoor

resource	yara_rule
sample	BazarBackdoorVar2

Files

a2ec27dec7addbe9aa3ce2551fd5ccda03d19af869133217fe0ef0dd0f2d6c7c
.exe windows x64

26a11c8d25d41f422b1da7f31a37f2ea

Code Sign

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

kernel32

VirtualAlloc
TerminateProcess
GetEnvironmentVariableW
OpenProcess
GetLastError
DeleteFileW
CloseHandle
HeapReAlloc
GetCurrentProcessId
GetStartupInfoW
ReadFile
WriteFile
CreatePipe
PeekNamedPipe
Sleep
CreateProcessW
GetDateFormatA
GetCurrentProcess
DeviceIoControl
lstrcmpA
GetModuleHandleA
CreateToolhelp32Snapshot
Process32NextW
K32GetModuleBaseNameW
CreateFileA
Process32FirstW
FindFirstFileW
GetFileSizeEx
FindNextFileW
lstrcpynW
GetTempPathW
FindClose
CreateFileW
GetTickCount
WriteProcessMemory
Wow64SetThreadContext
Wow64GetThreadContext
WaitForSingleObject
ResumeThread
GetProcAddress
VirtualAllocEx
ReadProcessMemory
GetModuleFileNameW
FlushInstructionCache
LoadLibraryA
DuplicateHandle
CreateFileTransactedW
GetThreadContext
SetThreadContext
MultiByteToWideChar
K32GetModuleFileNameExW
GetProductInfo
GetLocaleInfoW
GetTimeZoneInformation
GetNativeSystemInfo
GetComputerNameW
GlobalMemoryStatusEx
lstrcpyW
CreateMutexA
SetLastError
ExitProcess
WriteConsoleW
HeapSize
GetComputerNameA
WideCharToMultiByte
lstrcpynA
GetWindowsDirectoryA
GetSystemDirectoryA
FileTimeToSystemTime
InitializeCriticalSection
LeaveCriticalSection
lstrlenW
EnterCriticalSection
GetFileAttributesExA
GetProcessHeap
HeapAlloc
lstrlenA
GetConsoleMode
GetConsoleCP
FlushFileBuffers
SetFilePointerEx
GetStringTypeW
SetStdHandle
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindFirstFileExW
LCMapStringW
GetFileType
GetModuleHandleExW
GetStdHandle
RtlPcToFileHeader
LoadLibraryExW
FreeLibrary
TlsFree
TlsSetValue
TlsGetValue
TlsAlloc
RaiseException
EncodePointer
RtlUnwindEx
InitializeSListHead
GetSystemTimeAsFileTime
GetCurrentThreadId
QueryPerformanceCounter
IsDebuggerPresent
GetModuleHandleW
CreateEventW
WaitForSingleObjectEx
ResetEvent
SetEvent
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
IsProcessorFeaturePresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
CreateThread
HeapFree

user32

CharLowerW

advapi32

RegOpenKeyExW
CryptGetHashParam
RegQueryInfoKeyW
RegCreateKeyExW
RegEnumKeyExW
GetUserNameW
RegCloseKey
CryptReleaseContext
RegQueryValueExW
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDestroyHash

shell32

SHGetFolderPathW

ole32

CoInitialize
CoInitializeSecurity
CoSetProxyBlanket
CoUninitialize
CoCreateInstance

oleaut32

SysAllocString
SysFreeString

ktmw32

RollbackTransaction
CreateTransaction

ntdll

NtReadVirtualMemory
RtlCaptureContext
RtlVirtualUnwind
NtQueryInformationProcess
RtlInitUnicodeString
NtCreateSection
RtlLookupFunctionEntry

shlwapi

UrlUnescapeA
StrChrA
wnsprintfW
PathCombineW
wnsprintfA
StrStrIA
PathFindFileNameW
PathAppendW
StrRChrA
StrStrA

wininet

HttpQueryInfoA
InternetQueryDataAvailable
HttpOpenRequestA
InternetCrackUrlA
InternetReadFile
InternetConnectA
HttpSendRequestA
InternetCloseHandle
InternetOpenA
HttpAddRequestHeadersA
InternetSetOptionA

urlmon

ObtainUserAgentString

ws2_32

select
__WSAFDIsSet
sendto
htons
recvfrom
ntohs
socket
inet_pton
shutdown
closesocket

netapi32

NetWkstaGetInfo
NetApiBufferFree
NetGetJoinInformation

crypt32

CryptStringToBinaryA

bcrypt

BCryptVerifySignature
BCryptCreateHash
BCryptHashData
BCryptImportKeyPair
BCryptGetProperty
BCryptFinishHash
BCryptCloseAlgorithmProvider
BCryptDestroyHash
BCryptOpenAlgorithmProvider

Sections

.text
Size: 166KB - Virtual size: 166KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 49KB - Virtual size: 49KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 3KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 7KB - Virtual size: 7KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 512B - Virtual size: 480B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

26a11c8d25d41f422b1da7f31a37f2ea

Code Sign

Headers

DLL Characteristics

File Characteristics

Imports

kernel32

user32

advapi32

shell32

ole32

oleaut32

ktmw32

ntdll

shlwapi

wininet

urlmon

ws2_32

netapi32

crypt32

bcrypt

Sections

.text Size: 166KB - Virtual size: 166KB

.rdata Size: 49KB - Virtual size: 49KB

.data Size: 3KB - Virtual size: 7KB

.pdata Size: 7KB - Virtual size: 7KB

.rsrc Size: 512B - Virtual size: 480B

.reloc Size: 2KB - Virtual size: 1KB

.text
Size: 166KB - Virtual size: 166KB

.rdata
Size: 49KB - Virtual size: 49KB

.data
Size: 3KB - Virtual size: 7KB

.pdata
Size: 7KB - Virtual size: 7KB

.rsrc
Size: 512B - Virtual size: 480B

.reloc
Size: 2KB - Virtual size: 1KB