bazarbackdoor | cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b | Triage

Submit
Reports

Overview

overview

Static

static

8

cb4f741e2e...5b.exe

windows7-x64

cb4f741e2e...5b.exe

windows10-2004-x64

Sharing

General

Target

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b
Size

43.6MB
Sample

221003-f6jrgsbahm
MD5

5db9b584c3fceaaf17467727ea35a972
SHA1

9e95d8d396921f03853c4a550111d5e20a9b99c0
SHA256

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b
SHA512

d02e0ba321965cb9c1667677758aad8ed1c7f2ef6c682ad60a795f0050c40b265754065d59c85b08baa68e060c49ecc2535e2e81a8b562848337b3269fab792a
SSDEEP

786432:Kx+p5kDn/qyNvZBB3kGBADni0M7DtuephMHr4zEh2lpDLqW8LpdL:Kx+p56RNxBBeDC78e0Hr4oAjqW8Lp9

Score

10^/10

bazarbackdoor backdoor bootkit persistence upx

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe

Resource

win7-20220812-en

bazarbackdoor backdoor bootkit persistence upx

windows7-x64

12 signatures

150 seconds

Behavioral task

behavioral2

Sample

cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b.exe

Resource

win10v2004-20220812-en

bazarbackdoor backdoor bootkit persistence upx

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b
- Size
  
  43.6MB
- MD5
  
  5db9b584c3fceaaf17467727ea35a972
- SHA1
  
  9e95d8d396921f03853c4a550111d5e20a9b99c0
- SHA256
  
  cb4f741e2e9df6f7c011e48bd33bf3da3ddd6b091bc9ffe1b0420f0f3a39345b
- SHA512
  
  d02e0ba321965cb9c1667677758aad8ed1c7f2ef6c682ad60a795f0050c40b265754065d59c85b08baa68e060c49ecc2535e2e81a8b562848337b3269fab792a
- SSDEEP
  
  786432:Kx+p5kDn/qyNvZBB3kGBADni0M7DtuephMHr4zEh2lpDLqW8LpdL:Kx+p56RNxBBeDC78e0Hr4oAjqW8Lp9
Score

10^/10

bazarbackdoor backdoor bootkit persistence upx
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazar/Team9 Backdoor payload
- Executes dropped EXE
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarbackdoorbackdoorbootkitpersistenceupx

behavioral2

bazarbackdoorbackdoorbootkitpersistenceupx

© 2018-2024

Terms | Privacy