General

  • Target

    321e2eca55e2f54e3ea551cffbadc8ed6b89a26e9753b35a0aeb5f1e7df69a71

  • Size

    817KB

  • Sample

    220510-wdr56adgg8

  • MD5

    1f2b3571351d122ac8972987a16e1d50

  • SHA1

    e6d8c7f34d23677532686371555a1ae0899a2d4b

  • SHA256

    321e2eca55e2f54e3ea551cffbadc8ed6b89a26e9753b35a0aeb5f1e7df69a71

  • SHA512

    cfdd04f49a5e9ba208e94c2aa91560b8407ca5c9de0537675406223634813cd4d47e34ff182b8b59b47daf42b3e382e1a6fe9ce0ba7a97ae59fc51e3be3f9fc8

Malware Config

Targets

    • Target

      321e2eca55e2f54e3ea551cffbadc8ed6b89a26e9753b35a0aeb5f1e7df69a71

    • Size

      817KB

    • MD5

      1f2b3571351d122ac8972987a16e1d50

    • SHA1

      e6d8c7f34d23677532686371555a1ae0899a2d4b

    • SHA256

      321e2eca55e2f54e3ea551cffbadc8ed6b89a26e9753b35a0aeb5f1e7df69a71

    • SHA512

      cfdd04f49a5e9ba208e94c2aa91560b8407ca5c9de0537675406223634813cd4d47e34ff182b8b59b47daf42b3e382e1a6fe9ce0ba7a97ae59fc51e3be3f9fc8

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • suricata: ET MALWARE BAZAR CnC Domain in DNS Lookup

      suricata: ET MALWARE BAZAR CnC Domain in DNS Lookup

    • suricata: ET MALWARE Win32/BazarLoader Activity (GET)

      suricata: ET MALWARE Win32/BazarLoader Activity (GET)

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks