Analysis
-
max time kernel
204s -
max time network
217s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-05-2022 22:44
Static task
static1
Behavioral task
behavioral1
Sample
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
Resource
win10v2004-20220414-en
General
-
Target
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
-
Size
461KB
-
MD5
9776a22caf580541c8231e35e06b8423
-
SHA1
84250f1c3b526a88b260c8d8112cc0e92a7f71fb
-
SHA256
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74
-
SHA512
0e073f7f8b810af8d913fcefe4bff40180b25ddd6f2f78246a831b89eae39ffc7ff2f1398cb4dd22a0e2c95bfc157c78ced9f76a0b0f26353520a33afb2ab537
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor 1 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 55 https://194.5.249.136/0027858122761454971500701523730601444130/2 -
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4312-130-0x00000000021A0000-0x00000000021C3000-memory.dmp BazarLoaderVar1 behavioral2/memory/4312-134-0x0000000140000000-0x0000000140021000-memory.dmp BazarLoaderVar1 behavioral2/memory/4312-138-0x00000000004A0000-0x00000000004C1000-memory.dmp BazarLoaderVar1 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exepid process 4312 c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe