Analysis
-
max time kernel
153s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 16:33
Static task
static1
Behavioral task
behavioral1
Sample
412483d8630f27d160d9baf8f9d2b4deeb510d0f351ce684e7c0619d26f1cc29.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
412483d8630f27d160d9baf8f9d2b4deeb510d0f351ce684e7c0619d26f1cc29.exe
Resource
win10v2004-20220414-en
General
-
Target
412483d8630f27d160d9baf8f9d2b4deeb510d0f351ce684e7c0619d26f1cc29.exe
-
Size
5.7MB
-
MD5
4c41decf8b08f8d5bb5445cc37a7065b
-
SHA1
2c60eb30ac92c79746bf6cc75d718726031926b5
-
SHA256
412483d8630f27d160d9baf8f9d2b4deeb510d0f351ce684e7c0619d26f1cc29
-
SHA512
945860033f9909d54432e99b8376f6c723e9d4561db82b367bbd73171b06634011beb4539e8f83b91b6ffcd046e9b402aa7fc7fea7c22486746cb994f555a816
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-54-0x00000000008F0000-0x0000000000909000-memory.dmp BazarLoaderVar1 behavioral1/memory/1740-58-0x0000000180000000-0x0000000180017000-memory.dmp BazarLoaderVar1 behavioral1/memory/1740-62-0x00000000008D0000-0x00000000008E6000-memory.dmp BazarLoaderVar1 -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 163.172.185.51 Destination IP 104.238.186.189 Destination IP 96.47.228.108 Destination IP 111.67.20.8 Destination IP 104.37.195.178 Destination IP 63.231.92.27 Destination IP 66.70.211.246 Destination IP 198.251.90.143 Destination IP 46.28.207.199 Destination IP 5.45.97.127 Destination IP 45.32.160.206 Destination IP 45.63.124.65 Destination IP 178.17.170.179 Destination IP 185.121.177.177 Destination IP 192.99.85.244 Destination IP 185.117.154.144 Destination IP 158.69.160.164 Destination IP 130.255.78.223 Destination IP 46.28.207.199 Destination IP 46.101.70.183 Destination IP 185.117.154.144 Destination IP 185.121.177.177 Destination IP 81.2.241.148 Destination IP 188.165.200.156 Destination IP 89.18.27.167 Destination IP 5.45.97.127 Destination IP 139.59.23.241 Destination IP 45.63.124.65 Destination IP 169.239.202.202 Destination IP 51.255.211.146 Destination IP 107.172.42.186 Destination IP 69.164.196.21 Destination IP 87.98.175.85 Destination IP 159.89.249.249 Destination IP 178.17.170.179 Destination IP 77.73.68.161 Destination IP 87.98.175.85 Destination IP 138.197.25.214 Destination IP 5.135.183.146 Destination IP 89.18.27.167 Destination IP 193.183.98.66 Destination IP 142.4.205.47 Destination IP 104.37.195.178 Destination IP 158.69.160.164 Destination IP 63.231.92.27 Destination IP 91.217.137.37 Destination IP 45.32.160.206 Destination IP 163.172.185.51 Destination IP 159.89.249.249 Destination IP 45.71.112.70 Destination IP 82.141.39.32 Destination IP 212.24.98.54 Destination IP 217.12.210.54 Destination IP 158.69.239.167 Destination IP 51.255.48.78 Destination IP 192.52.166.110 Destination IP 66.70.211.246 Destination IP 91.217.137.37 Destination IP 94.177.171.127 Destination IP 167.99.153.82 Destination IP 142.4.204.111 Destination IP 69.164.196.21 Destination IP 31.171.251.118 Destination IP 111.67.20.8 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
412483d8630f27d160d9baf8f9d2b4deeb510d0f351ce684e7c0619d26f1cc29.exepid process 1740 412483d8630f27d160d9baf8f9d2b4deeb510d0f351ce684e7c0619d26f1cc29.exe