General
-
Target
https://cdn.discordapp.com/attachments/920160935023362120/1016187578766073866/update.exe
-
Sample
220908-drykzsafel
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://cdn.discordapp.com/attachments/920160935023362120/1016187578766073866/update.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
https://cdn.discordapp.com/attachments/920160935023362120/1016187578766073866/update.exe
Resource
win10v2004-20220901-en
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\3548_1694113475\us_tv_and_film.txt
Targets
-
-
Target
https://cdn.discordapp.com/attachments/920160935023362120/1016187578766073866/update.exe
-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload
-
Identifies VirtualBox via ACPI registry values (likely anti-VM)
-
Nirsoft
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Stops running service(s)
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-