Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
02-05-2022 11:39
Static task
static1
Behavioral task
behavioral1
Sample
4c0b10f54e62d48405351342ebf4a11ae449ac6377d091827d5a177c0e0f9719.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4c0b10f54e62d48405351342ebf4a11ae449ac6377d091827d5a177c0e0f9719.exe
Resource
win10v2004-20220414-en
General
-
Target
4c0b10f54e62d48405351342ebf4a11ae449ac6377d091827d5a177c0e0f9719.exe
-
Size
116KB
-
MD5
7de28d47c6f1dbe38f892253ff530208
-
SHA1
019cd9232cb9df9109142f78fa5a7eaf91e5c549
-
SHA256
4c0b10f54e62d48405351342ebf4a11ae449ac6377d091827d5a177c0e0f9719
-
SHA512
5da4e8e9e3e101291551b6c0570ce14b7c7be37a4b87a897dc11d0ed250b12df78fec4aed86c0203a9f35c0acba9b72e5d81eea01565c4287dbd3265b4f31c42
Malware Config
Signatures
-
BazarBackdoor 1 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 70 https://shophoof.com/0095389875812637773378538013768309870088/2 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 220 bdegjkbkggjo.bazar 398 ddegkmdkggkq.bazar 187 dcegjldjggjp.bazar 289 ddehimdkghiq.bazar 302 ddehimdkghiq.bazar 368 ddegkmdkggkq.bazar 374 ddegkmdkggkq.bazar 270 bdegjkbkggjo.bazar 155 dcegjldjggjp.bazar 185 dcegjldjggjp.bazar 226 bdegjkbkggjo.bazar 327 ddehimdkghiq.bazar 334 ddehimdkghiq.bazar 346 ddehimdkghiq.bazar 401 ddegkmdkggkq.bazar 145 dcegjldjggjp.bazar 404 ddegkmdkggkq.bazar 204 dcegjldjggjp.bazar 399 ddegkmdkggkq.bazar 458 bdfgilbkhgip.bazar 147 dcegjldjggjp.bazar 184 dcegjldjggjp.bazar 219 bdegjkbkggjo.bazar 222 bdegjkbkggjo.bazar 263 bdegjkbkggjo.bazar 294 ddehimdkghiq.bazar 311 ddehimdkghiq.bazar 154 dcegjldjggjp.bazar 176 dcegjldjggjp.bazar 261 bdegjkbkggjo.bazar 290 ddehimdkghiq.bazar 340 ddehimdkghiq.bazar 371 ddegkmdkggkq.bazar 436 bdfgilbkhgip.bazar 454 bdfgilbkhgip.bazar 159 dcegjldjggjp.bazar 264 bdegjkbkggjo.bazar 329 ddehimdkghiq.bazar 353 ddegkmdkggkq.bazar 407 ddegkmdkggkq.bazar 409 ddegkmdkggkq.bazar 256 bdegjkbkggjo.bazar 239 bdegjkbkggjo.bazar 282 ddehimdkghiq.bazar 387 ddegkmdkggkq.bazar 402 ddegkmdkggkq.bazar 403 ddegkmdkggkq.bazar 214 bdegjkbkggjo.bazar 413 ddegkmdkggkq.bazar 420 bdfgilbkhgip.bazar 260 bdegjkbkggjo.bazar 201 dcegjldjggjp.bazar 271 bdegjkbkggjo.bazar 273 bdegjkbkggjo.bazar 337 ddehimdkghiq.bazar 408 ddegkmdkggkq.bazar 457 bdfgilbkhgip.bazar 486 aegijmaliijq.bazar 172 dcegjldjggjp.bazar 277 bdegjkbkggjo.bazar 284 ddehimdkghiq.bazar 316 ddehimdkghiq.bazar 348 ddegkmdkggkq.bazar 352 ddegkmdkggkq.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 104.37.195.178 Destination IP 188.165.200.156 Destination IP 81.2.241.148 Destination IP 66.70.211.246 Destination IP 45.63.124.65 Destination IP 192.52.166.110 Destination IP 185.121.177.177 Destination IP 158.69.239.167 Destination IP 130.255.78.223 Destination IP 51.254.25.115 Destination IP 35.196.105.24 Destination IP 87.98.175.85 Destination IP 138.197.25.214 Destination IP 96.47.228.108 Destination IP 188.165.200.156 Destination IP 139.59.23.241 Destination IP 107.172.42.186 Destination IP 139.59.208.246 Destination IP 139.59.23.241 Destination IP 87.98.175.85 Destination IP 66.70.211.246 Destination IP 158.69.160.164 Destination IP 128.52.130.209 Destination IP 193.183.98.66 Destination IP 138.197.25.214 Destination IP 91.217.137.37 Destination IP 50.3.82.215 Destination IP 139.59.208.246 Destination IP 158.69.239.167 Destination IP 45.63.124.65 Destination IP 142.4.205.47 Destination IP 193.183.98.66 Destination IP 217.12.210.54 Destination IP 46.28.207.199 Destination IP 77.73.68.161 Destination IP 5.132.191.104 Destination IP 142.4.204.111 Destination IP 128.52.130.209 Destination IP 96.47.228.108 Destination IP 212.24.98.54 Destination IP 139.59.208.246 Destination IP 104.37.195.178 Destination IP 94.177.171.127 Destination IP 5.135.183.146 Destination IP 147.135.185.78 Destination IP 193.183.98.66 Destination IP 163.53.248.170 Destination IP 5.132.191.104 Destination IP 87.98.175.85 Destination IP 46.101.70.183 Destination IP 45.71.112.70 Destination IP 198.251.90.143 Destination IP 185.164.136.225 Destination IP 172.104.136.243 Destination IP 5.45.97.127 Destination IP 176.126.70.119 Destination IP 46.101.70.183 Destination IP 185.121.177.177 Destination IP 144.76.133.38 Destination IP 82.196.9.45 Destination IP 87.98.175.85 Destination IP 45.71.112.70 Destination IP 193.183.98.66 Destination IP 217.12.210.54