Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
04-08-2022 21:02
Static task
static1
Behavioral task
behavioral1
Sample
ce5ee2fd8aa4acda24baf6221b5de66220172da0eb312705936adc5b164cc052.dll
Resource
win7-20220715-en
Behavioral task
behavioral2
Sample
ce5ee2fd8aa4acda24baf6221b5de66220172da0eb312705936adc5b164cc052.dll
Resource
win10v2004-20220721-en
General
-
Target
ce5ee2fd8aa4acda24baf6221b5de66220172da0eb312705936adc5b164cc052.dll
-
Size
611KB
-
MD5
df96269b0242bdb6a06621696f5d31cb
-
SHA1
db4ececac3eb4d38c632a6f83f42666bce0070ae
-
SHA256
ce5ee2fd8aa4acda24baf6221b5de66220172da0eb312705936adc5b164cc052
-
SHA512
e3b17f0640be0fc109d6247bae58711583f42152bb29f887e9f5ca456518f70d687d793278f19fde24419ff34ff5888ead43bc00a0bddbb6994f36d19f956f83
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-130-0x000001FC105C0000-0x000001FC105F8000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 45 1340 rundll32.exe 46 1340 rundll32.exe 47 1340 rundll32.exe 60 1340 rundll32.exe 61 1340 rundll32.exe 62 1340 rundll32.exe -
Tries to connect to .bazar domain 1 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 61 reddew28c.bazar -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 130.61.64.122
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1340-130-0x000001FC105C0000-0x000001FC105F8000-memory.dmpFilesize
224KB