Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
07-07-2022 12:57
Static task
static1
Behavioral task
behavioral1
Sample
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
Resource
win10v2004-20220414-en
General
-
Target
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe
-
Size
461KB
-
MD5
9776a22caf580541c8231e35e06b8423
-
SHA1
84250f1c3b526a88b260c8d8112cc0e92a7f71fb
-
SHA256
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74
-
SHA512
0e073f7f8b810af8d913fcefe4bff40180b25ddd6f2f78246a831b89eae39ffc7ff2f1398cb4dd22a0e2c95bfc157c78ced9f76a0b0f26353520a33afb2ab537
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
BazarBackdoor 2 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
description flow ioc HTTP URL 38 https://194.5.249.136/0095389875812637773378538013768309870088/2 HTTP URL 42 https://185.99.2.54/0095389875812637773378538013768309870088/2 -
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2344-130-0x0000000002050000-0x0000000002073000-memory.dmp BazarLoaderVar1 behavioral2/memory/2344-134-0x0000000140000000-0x0000000140021000-memory.dmp BazarLoaderVar1 behavioral2/memory/2344-138-0x00000000004A0000-0x00000000004C1000-memory.dmp BazarLoaderVar1 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 300 ddehimdighiq.bazar 140 dcegjldhggjp.bazar 150 dcegjldhggjp.bazar 166 dcegjldhggjp.bazar 180 dcegjldhggjp.bazar 205 bdegjkbiggjo.bazar 243 bdegjkbiggjo.bazar 250 bdegjkbiggjo.bazar 347 ddegkmdiggkq.bazar 382 ddegkmdiggkq.bazar 403 bdfgilbihgip.bazar 424 bdfgilbihgip.bazar 368 ddegkmdiggkq.bazar 141 dcegjldhggjp.bazar 155 dcegjldhggjp.bazar 254 ddehimdighiq.bazar 273 ddehimdighiq.bazar 278 ddehimdighiq.bazar 299 ddehimdighiq.bazar 366 ddegkmdiggkq.bazar 369 ddegkmdiggkq.bazar 384 ddegkmdiggkq.bazar 131 dcegjldhggjp.bazar 170 dcegjldhggjp.bazar 224 bdegjkbiggjo.bazar 348 ddegkmdiggkq.bazar 125 dcegjldhggjp.bazar 151 dcegjldhggjp.bazar 177 dcegjldhggjp.bazar 292 ddehimdighiq.bazar 402 bdfgilbihgip.bazar 421 bdfgilbihgip.bazar 207 bdegjkbiggjo.bazar 237 bdegjkbiggjo.bazar 270 ddehimdighiq.bazar 283 ddehimdighiq.bazar 328 ddegkmdiggkq.bazar 128 dcegjldhggjp.bazar 133 dcegjldhggjp.bazar 145 dcegjldhggjp.bazar 147 dcegjldhggjp.bazar 398 bdfgilbihgip.bazar 324 ddegkmdiggkq.bazar 376 ddegkmdiggkq.bazar 183 bdegjkbiggjo.bazar 186 bdegjkbiggjo.bazar 218 bdegjkbiggjo.bazar 222 bdegjkbiggjo.bazar 294 ddehimdighiq.bazar 338 ddegkmdiggkq.bazar 399 bdfgilbihgip.bazar 129 dcegjldhggjp.bazar 192 bdegjkbiggjo.bazar 227 bdegjkbiggjo.bazar 304 ddehimdighiq.bazar 378 ddegkmdiggkq.bazar 401 bdfgilbihgip.bazar 408 bdfgilbihgip.bazar 341 ddegkmdiggkq.bazar 117 dcegjldhggjp.bazar 187 bdegjkbiggjo.bazar 248 bdegjkbiggjo.bazar 277 ddehimdighiq.bazar 280 ddehimdighiq.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 185.121.177.177 Destination IP 5.135.183.146 Destination IP 5.135.183.146 Destination IP 66.70.211.246 Destination IP 104.238.186.189 Destination IP 104.238.186.189 Destination IP 147.135.185.78 Destination IP 96.47.228.108 Destination IP 172.98.193.42 Destination IP 144.76.133.38 Destination IP 91.217.137.37 Destination IP 46.28.207.199 Destination IP 167.99.153.82 Destination IP 94.177.171.127 Destination IP 130.255.78.223 Destination IP 139.59.208.246 Destination IP 188.165.200.156 Destination IP 139.59.23.241 Destination IP 185.208.208.141 Destination IP 163.172.185.51 Destination IP 82.196.9.45 Destination IP 45.32.160.206 Destination IP 192.99.85.244 Destination IP 163.172.185.51 Destination IP 193.183.98.66 Destination IP 89.18.27.167 Destination IP 66.70.211.246 Destination IP 192.52.166.110 Destination IP 192.99.85.244 Destination IP 89.18.27.167 Destination IP 82.141.39.32 Destination IP 96.47.228.108 Destination IP 45.32.160.206 Destination IP 198.251.90.143 Destination IP 192.99.85.244 Destination IP 188.165.200.156 Destination IP 107.172.42.186 Destination IP 139.99.96.146 Destination IP 128.52.130.209 Destination IP 35.196.105.24 Destination IP 192.52.166.110 Destination IP 69.164.196.21 Destination IP 163.172.185.51 Destination IP 107.172.42.186 Destination IP 198.251.90.143 Destination IP 5.45.97.127 Destination IP 146.185.176.36 Destination IP 158.69.160.164 Destination IP 51.255.48.78 Destination IP 51.255.211.146 Destination IP 96.47.228.108 Destination IP 31.171.251.118 Destination IP 130.255.78.223 Destination IP 69.164.196.21 Destination IP 158.69.239.167 Destination IP 46.101.70.183 Destination IP 81.2.241.148 Destination IP 159.89.249.249 Destination IP 158.69.160.164 Destination IP 172.104.136.243 Destination IP 169.239.202.202 Destination IP 147.135.185.78 Destination IP 159.89.249.249 Destination IP 158.69.239.167 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exepid process 2344 c68fec389bc0d74b7d1d26ec422cfe59c082cbf961a411abcdba31ed4a6cdb74.exe