Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2022 06:04
Behavioral task
behavioral1
Sample
core3_1.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
core3_1.dll
Resource
win10v2004-20220414-en
General
-
Target
core3_1.dll
-
Size
214KB
-
MD5
6a94e3723ca817d1af955d2ed03062bc
-
SHA1
0f3fbe7fbb072f30cad64e825811a9f5f323f3bc
-
SHA256
c924d04db0dc4f4591c149b5ce9ea06f9bcc0628c9294b84cad522456f1c4cdd
-
SHA512
87ddc3615491d99350c14b0c8214d1d7c200072ae8f74ab9af3cc0128fd78017b4c5d053b06b4bb2f6f05e1bb1afba662e0ccd673b910f5979ae3893dff4b658
Malware Config
Signatures
-
Bazar Loader 64 IoCs
Detected loader normally used to deploy BazarBackdoor malware.
Processes:
rundll32.exeflow ioc 122 ceeijlcjgijp.bazar 80 acgiklahiikp.bazar 101 bcfiklbhhikp.bazar 105 bcfiklbhhikp.bazar 110 dcfhkldhhhkp.bazar 111 dcfhkldhhhkp.bazar 97 bcfiklbhhikp.bazar 119 ceeijlcjgijp.bazar 140 adfgilaihgip.bazar 143 adfgilaihgip.bazar 150 acfgklahhgkp.bazar 162 ccfgjmchhgjq.bazar 88 efgiikekiiio.bazar 92 efgiikekiiio.bazar 103 bcfiklbhhikp.bazar 126 aceiklahgikp.bazar 142 adfgilaihgip.bazar 86 acgiklahiikp.bazar 87 acgiklahiikp.bazar 107 bcfiklbhhikp.bazar 114 dcfhkldhhhkp.bazar 137 afehilakghip.bazar 156 ccfgjmchhgjq.bazar HTTP URL 70 https://185.142.99.8/api/v202 129 aceiklahgikp.bazar 149 acfgklahhgkp.bazar 151 acfgklahhgkp.bazar 155 acfgklahhgkp.bazar Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root rundll32.exe 94 efgiikekiiio.bazar 134 afehilakghip.bazar 136 afehilakghip.bazar 153 acfgklahhgkp.bazar 157 ccfgjmchhgjq.bazar 102 bcfiklbhhikp.bazar 121 ceeijlcjgijp.bazar 138 afehilakghip.bazar 141 adfgilaihgip.bazar 148 acfgklahhgkp.bazar 145 adfgilaihgip.bazar 147 adfgilaihgip.bazar 154 acfgklahhgkp.bazar HTTP URL 67 https://185.142.99.8/api/v202 HTTP URL 71 https://185.142.99.8/api/v202 118 ceeijlcjgijp.bazar 131 aceiklahgikp.bazar 135 afehilakghip.bazar 161 ccfgjmchhgjq.bazar 91 efgiikekiiio.bazar 98 bcfiklbhhikp.bazar 108 dcfhkldhhhkp.bazar 144 adfgilaihgip.bazar 146 adfgilaihgip.bazar 132 afehilakghip.bazar 133 afehilakghip.bazar 158 ccfgjmchhgjq.bazar 85 acgiklahiikp.bazar 106 bcfiklbhhikp.bazar 124 aceiklahgikp.bazar 127 aceiklahgikp.bazar 130 aceiklahgikp.bazar 82 acgiklahiikp.bazar 109 dcfhkldhhhkp.bazar 116 ceeijlcjgijp.bazar -
Blocklisted process makes network request 64 IoCs
Processes:
rundll32.exeflow pid process 67 4028 rundll32.exe 69 4028 rundll32.exe 70 4028 rundll32.exe 71 4028 rundll32.exe 72 4028 rundll32.exe 73 4028 rundll32.exe 74 4028 rundll32.exe 75 4028 rundll32.exe 76 4028 rundll32.exe 77 4028 rundll32.exe 78 4028 rundll32.exe 79 4028 rundll32.exe 80 4028 rundll32.exe 81 4028 rundll32.exe 82 4028 rundll32.exe 83 4028 rundll32.exe 84 4028 rundll32.exe 85 4028 rundll32.exe 86 4028 rundll32.exe 87 4028 rundll32.exe 88 4028 rundll32.exe 89 4028 rundll32.exe 91 4028 rundll32.exe 92 4028 rundll32.exe 93 4028 rundll32.exe 94 4028 rundll32.exe 95 4028 rundll32.exe 96 4028 rundll32.exe 97 4028 rundll32.exe 98 4028 rundll32.exe 101 4028 rundll32.exe 102 4028 rundll32.exe 103 4028 rundll32.exe 105 4028 rundll32.exe 106 4028 rundll32.exe 107 4028 rundll32.exe 108 4028 rundll32.exe 109 4028 rundll32.exe 110 4028 rundll32.exe 111 4028 rundll32.exe 112 4028 rundll32.exe 113 4028 rundll32.exe 114 4028 rundll32.exe 115 4028 rundll32.exe 116 4028 rundll32.exe 117 4028 rundll32.exe 118 4028 rundll32.exe 119 4028 rundll32.exe 120 4028 rundll32.exe 121 4028 rundll32.exe 122 4028 rundll32.exe 123 4028 rundll32.exe 124 4028 rundll32.exe 125 4028 rundll32.exe 126 4028 rundll32.exe 127 4028 rundll32.exe 128 4028 rundll32.exe 129 4028 rundll32.exe 130 4028 rundll32.exe 131 4028 rundll32.exe 132 4028 rundll32.exe 133 4028 rundll32.exe 134 4028 rundll32.exe 135 4028 rundll32.exe -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 146 adfgilaihgip.bazar 117 ceeijlcjgijp.bazar 124 aceiklahgikp.bazar 128 aceiklahgikp.bazar 131 aceiklahgikp.bazar 134 afehilakghip.bazar 143 adfgilaihgip.bazar 148 acfgklahhgkp.bazar 150 acfgklahhgkp.bazar 81 acgiklahiikp.bazar 96 efgiikekiiio.bazar 112 dcfhkldhhhkp.bazar 127 aceiklahgikp.bazar 133 afehilakghip.bazar 136 afehilakghip.bazar 152 acfgklahhgkp.bazar 155 acfgklahhgkp.bazar 161 ccfgjmchhgjq.bazar 82 acgiklahiikp.bazar 86 acgiklahiikp.bazar 88 efgiikekiiio.bazar 101 bcfiklbhhikp.bazar 151 acfgklahhgkp.bazar 139 afehilakghip.bazar 157 ccfgjmchhgjq.bazar 158 ccfgjmchhgjq.bazar 160 ccfgjmchhgjq.bazar 162 ccfgjmchhgjq.bazar 83 acgiklahiikp.bazar 89 efgiikekiiio.bazar 135 afehilakghip.bazar 142 adfgilaihgip.bazar 156 ccfgjmchhgjq.bazar 159 ccfgjmchhgjq.bazar 145 adfgilaihgip.bazar 92 efgiikekiiio.bazar 93 efgiikekiiio.bazar 107 bcfiklbhhikp.bazar 109 dcfhkldhhhkp.bazar 125 aceiklahgikp.bazar 130 aceiklahgikp.bazar 97 bcfiklbhhikp.bazar 129 aceiklahgikp.bazar 106 bcfiklbhhikp.bazar 123 ceeijlcjgijp.bazar 126 aceiklahgikp.bazar 138 afehilakghip.bazar 149 acfgklahhgkp.bazar HTTP URL 67 https://185.142.99.8/api/v202 105 bcfiklbhhikp.bazar 137 afehilakghip.bazar HTTP URL 70 https://185.142.99.8/api/v202 80 acgiklahiikp.bazar 91 efgiikekiiio.bazar 108 dcfhkldhhhkp.bazar 113 dcfhkldhhhkp.bazar 141 adfgilaihgip.bazar 103 bcfiklbhhikp.bazar 119 ceeijlcjgijp.bazar 147 adfgilaihgip.bazar 153 acfgklahhgkp.bazar 85 acgiklahiikp.bazar 94 efgiikekiiio.bazar 111 dcfhkldhhhkp.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 193.183.98.66 Destination IP 51.254.25.115 Destination IP 151.80.222.79 Destination IP 151.80.222.79 Destination IP 94.16.114.254 Destination IP 176.126.70.119 Destination IP 193.183.98.66 Destination IP 51.254.25.115 Destination IP 151.80.222.79 Destination IP 95.174.65.241 Destination IP 195.10.195.195 Destination IP 95.174.65.241 Destination IP 192.71.245.208 Destination IP 192.71.245.208 Destination IP 51.254.25.115 Destination IP 95.174.65.241 Destination IP 193.183.98.66 Destination IP 176.126.70.119 Destination IP 151.80.222.79 Destination IP 195.10.195.195 Destination IP 176.126.70.119 Destination IP 195.10.195.195 Destination IP 151.80.222.79 Destination IP 192.71.245.208 Destination IP 95.174.65.241 Destination IP 192.71.245.208 Destination IP 151.80.222.79 Destination IP 51.254.25.115 Destination IP 193.183.98.66 Destination IP 176.126.70.119 Destination IP 176.126.70.119 Destination IP 193.183.98.66 Destination IP 51.254.25.115 Destination IP 195.10.195.195 Destination IP 192.71.245.208 Destination IP 151.80.222.79 Destination IP 193.183.98.66 Destination IP 51.254.25.115 Destination IP 94.16.114.254 Destination IP 176.126.70.119 Destination IP 195.10.195.195 Destination IP 151.80.222.79 Destination IP 94.16.114.254 Destination IP 193.183.98.66 Destination IP 195.10.195.195 Destination IP 94.16.114.254 Destination IP 176.126.70.119 Destination IP 94.16.114.254 Destination IP 95.174.65.241 Destination IP 195.10.195.195 Destination IP 94.16.114.254 Destination IP 51.254.25.115 Destination IP 192.71.245.208 Destination IP 192.71.245.208 Destination IP 193.183.98.66 Destination IP 195.10.195.195 Destination IP 95.174.65.241 Destination IP 51.254.25.115 Destination IP 176.126.70.119 Destination IP 151.80.222.79 Destination IP 193.183.98.66 Destination IP 95.174.65.241 Destination IP 51.254.25.115 Destination IP 192.71.245.208