Analysis
-
max time kernel
164s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
19-03-2022 23:10
Static task
static1
Behavioral task
behavioral1
Sample
898f6e91c82bf23b5b95e0560292b1c610970b3062eeeb9980c75f954e5024a9.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
898f6e91c82bf23b5b95e0560292b1c610970b3062eeeb9980c75f954e5024a9.exe
Resource
win10v2004-20220310-en
General
-
Target
898f6e91c82bf23b5b95e0560292b1c610970b3062eeeb9980c75f954e5024a9.exe
-
Size
576KB
-
MD5
2946562b29462362faf215bf7a2fcaa6
-
SHA1
3d4894ad006420523bfec3996774ece6090e4e15
-
SHA256
898f6e91c82bf23b5b95e0560292b1c610970b3062eeeb9980c75f954e5024a9
-
SHA512
a6ef18c693ca2d13174e745f96e80b5b81227ab55596713da1410a245aa9d261df36dd442fc27112b24baaee5bd45b44c95425da41b05ebc21e73ad33477fde4
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-134-0x00000000024C0000-0x0000000002519000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4564-138-0x0000000180000000-0x0000000180058000-memory.dmp BazarBackdoorVar3 behavioral2/memory/4564-143-0x0000000002460000-0x00000000024B7000-memory.dmp BazarBackdoorVar3 -
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4564-134-0x00000000024C0000-0x0000000002519000-memory.dmp BazarLoaderVar3 behavioral2/memory/4564-138-0x0000000180000000-0x0000000180058000-memory.dmp BazarLoaderVar3 behavioral2/memory/4564-143-0x0000000002460000-0x00000000024B7000-memory.dmp BazarLoaderVar3 -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3112 4492 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\898f6e91c82bf23b5b95e0560292b1c610970b3062eeeb9980c75f954e5024a9.exe"C:\Users\Admin\AppData\Local\Temp\898f6e91c82bf23b5b95e0560292b1c610970b3062eeeb9980c75f954e5024a9.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4492 -ip 44921⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4492 -s 22321⤵
- Program crash