bazarbackdoor | c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74

General

Target

c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
Size

461KB
MD5

9776a22caf580541c8231e35e06b8423
SHA1

84250f1c3b526a88b260c8d8112cc0e92a7f71fb
SHA256

c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74
SHA512

0e073f7f8b810af8d913fcefe4bff40180b25ddd6f2f78246a831b89eae39ffc7ff2f1398cb4dd22a0e2c95bfc157c78ced9f76a0b0f26353520a33afb2ab537

Score

10^/10

bazarbackdoor bazarloader backdoor dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

BazarBackdoor 2 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

description	flow	ioc
HTTP URL	38	https://194.5.249.136/0095389875812637773378538013768309870088/2
HTTP URL	42	https://185.99.2.54/0095389875812637773378538013768309870088/2

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2344-130-0x0000000002050000-0x0000000002073000-memory.dmp	BazarLoaderVar1
behavioral2/memory/2344-134-0x0000000140000000-0x0000000140021000-memory.dmp	BazarLoaderVar1
behavioral2/memory/2344-138-0x00000000004A0000-0x00000000004C1000-memory.dmp	BazarLoaderVar1

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
300	ddehimdighiq.bazar
140	dcegjldhggjp.bazar
150	dcegjldhggjp.bazar
166	dcegjldhggjp.bazar
180	dcegjldhggjp.bazar
205	bdegjkbiggjo.bazar
243	bdegjkbiggjo.bazar
250	bdegjkbiggjo.bazar
347	ddegkmdiggkq.bazar
382	ddegkmdiggkq.bazar
403	bdfgilbihgip.bazar
424	bdfgilbihgip.bazar
368	ddegkmdiggkq.bazar
141	dcegjldhggjp.bazar
155	dcegjldhggjp.bazar
254	ddehimdighiq.bazar
273	ddehimdighiq.bazar
278	ddehimdighiq.bazar
299	ddehimdighiq.bazar
366	ddegkmdiggkq.bazar
369	ddegkmdiggkq.bazar
384	ddegkmdiggkq.bazar
131	dcegjldhggjp.bazar
170	dcegjldhggjp.bazar
224	bdegjkbiggjo.bazar
348	ddegkmdiggkq.bazar
125	dcegjldhggjp.bazar
151	dcegjldhggjp.bazar
177	dcegjldhggjp.bazar
292	ddehimdighiq.bazar
402	bdfgilbihgip.bazar
421	bdfgilbihgip.bazar
207	bdegjkbiggjo.bazar
237	bdegjkbiggjo.bazar
270	ddehimdighiq.bazar
283	ddehimdighiq.bazar
328	ddegkmdiggkq.bazar
128	dcegjldhggjp.bazar
133	dcegjldhggjp.bazar
145	dcegjldhggjp.bazar
147	dcegjldhggjp.bazar
398	bdfgilbihgip.bazar
324	ddegkmdiggkq.bazar
376	ddegkmdiggkq.bazar
183	bdegjkbiggjo.bazar
186	bdegjkbiggjo.bazar
218	bdegjkbiggjo.bazar
222	bdegjkbiggjo.bazar
294	ddehimdighiq.bazar
338	ddegkmdiggkq.bazar
399	bdfgilbihgip.bazar
129	dcegjldhggjp.bazar
192	bdegjkbiggjo.bazar
227	bdegjkbiggjo.bazar
304	ddehimdighiq.bazar
378	ddegkmdiggkq.bazar
401	bdfgilbihgip.bazar
408	bdfgilbihgip.bazar
341	ddegkmdiggkq.bazar
117	dcegjldhggjp.bazar
187	bdegjkbiggjo.bazar
248	bdegjkbiggjo.bazar
277	ddehimdighiq.bazar
280	ddehimdighiq.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.121.177.177
Destination IP	5.135.183.146
Destination IP	5.135.183.146
Destination IP	66.70.211.246
Destination IP	104.238.186.189
Destination IP	104.238.186.189
Destination IP	147.135.185.78
Destination IP	96.47.228.108
Destination IP	172.98.193.42
Destination IP	144.76.133.38
Destination IP	91.217.137.37
Destination IP	46.28.207.199
Destination IP	167.99.153.82
Destination IP	94.177.171.127
Destination IP	130.255.78.223
Destination IP	139.59.208.246
Destination IP	188.165.200.156
Destination IP	139.59.23.241
Destination IP	185.208.208.141
Destination IP	163.172.185.51
Destination IP	82.196.9.45
Destination IP	45.32.160.206
Destination IP	192.99.85.244
Destination IP	163.172.185.51
Destination IP	193.183.98.66
Destination IP	89.18.27.167
Destination IP	66.70.211.246
Destination IP	192.52.166.110
Destination IP	192.99.85.244
Destination IP	89.18.27.167
Destination IP	82.141.39.32
Destination IP	96.47.228.108
Destination IP	45.32.160.206
Destination IP	198.251.90.143
Destination IP	192.99.85.244
Destination IP	188.165.200.156
Destination IP	107.172.42.186
Destination IP	139.99.96.146
Destination IP	128.52.130.209
Destination IP	35.196.105.24
Destination IP	192.52.166.110
Destination IP	69.164.196.21
Destination IP	163.172.185.51
Destination IP	107.172.42.186
Destination IP	198.251.90.143
Destination IP	5.45.97.127
Destination IP	146.185.176.36
Destination IP	158.69.160.164
Destination IP	51.255.48.78
Destination IP	51.255.211.146
Destination IP	96.47.228.108
Destination IP	31.171.251.118
Destination IP	130.255.78.223
Destination IP	69.164.196.21
Destination IP	158.69.239.167
Destination IP	46.101.70.183
Destination IP	81.2.241.148
Destination IP	159.89.249.249
Destination IP	158.69.160.164
Destination IP	172.104.136.243
Destination IP	169.239.202.202
Destination IP	147.135.185.78
Destination IP	159.89.249.249
Destination IP	158.69.239.167

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe

pid process

2344 c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe

pid	process
2344	c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe

C:\Users\Admin\AppData\Local\Temp\c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
"C:\Users\Admin\AppData\Local\Temp\c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2344-130-0x0000000002050000-0x0000000002073000-memory.dmp

Filesize
140KB

Download
memory/2344-134-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download
memory/2344-138-0x00000000004A0000-0x00000000004C1000-memory.dmp

Filesize
132KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads