Analysis
-
max time kernel
117s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-04-2022 02:39
Static task
static1
Behavioral task
behavioral1
Sample
youtube.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
youtube.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
General
-
Target
youtube.dll
-
Size
214KB
-
MD5
9a4ef0169f86641aa99017049de272f5
-
SHA1
82e1a3868eff88753fe30abedf7c83620aaddd13
-
SHA256
d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac
-
SHA512
9b9bff3e64ee7f060679b3ff8704b8f89057748906198c674e7ebec7a51e33023af119997877790837389905090d57559eadc49811f53973b7ed91f3552c9e84
Score
10/10
Malware Config
Extracted
Family
bazarloader
C2
148.163.42.213
5.255.102.10
188.127.235.177
23.160.193.221
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.execmd.exedescription pid process target process PID 2052 wrote to memory of 4160 2052 rundll32.exe cmd.exe PID 2052 wrote to memory of 4160 2052 rundll32.exe cmd.exe PID 4160 wrote to memory of 1236 4160 cmd.exe choice.exe PID 4160 wrote to memory of 1236 4160 cmd.exe choice.exe PID 4160 wrote to memory of 3200 4160 cmd.exe rundll32.exe PID 4160 wrote to memory of 3200 4160 cmd.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\youtube.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c choice /c y /d y /t 10 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\youtube.dll", #1 ZF3bI6aD VI0rr2aG & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /c y /d y /t 103⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\youtube.dll", #1 ZF3bI6aD VI0rr2aG3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1236-132-0x0000000000000000-mapping.dmp
-
memory/2052-130-0x000001ADA1A40000-0x000001ADA1A60000-memory.dmpFilesize
128KB
-
memory/3200-133-0x0000000000000000-mapping.dmp
-
memory/3200-134-0x000001CDCDD90000-0x000001CDCDDB0000-memory.dmpFilesize
128KB
-
memory/4160-131-0x0000000000000000-mapping.dmp