Description
Detected loader normally used to deploy BazarBackdoor malware.
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
General
Target
Size
Sample
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
550KB
220508-x77y5sbcal
Score
10 /10
MD5
SHA1
SHA256
SHA512
aa569a58ad06c7cbdb4587f0915bee26
9eea511d098b34a284508f45e69e3fe67fd74f8d
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
Malware Config
Targets
Target
MD5
Filesize
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
aa569a58ad06c7cbdb4587f0915bee26
550KB
Score
10/10
SHA1
SHA256
SHA512
9eea511d098b34a284508f45e69e3fe67fd74f8d
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337
Tags
Signatures
-
Bazar Loader
-
Bazar/Team9 Loader payload
-
Executes dropped EXE
-
Tries to connect to .bazar domain
Description
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Loads dropped DLL
-
Unexpected DNS network traffic destination
Description
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application
Tags
TTPs
Related Tasks
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Tasks