bazarbackdoor | 091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c | Triage

Submit
Reports

Overview

overview

Static

static

091c42ee0e...8c.exe

windows7-x64

091c42ee0e...8c.exe

windows10-2004-x64

Sharing

General

Target

091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c
Size

41.3MB
Sample

221006-e927kagda5
MD5

e25c7282f21266df76e69d925a0d0d3f
SHA1

1900f2d4aafc22c57b0c111fe0c000d71a72f0e3
SHA256

091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c
SHA512

a116d9fc6403d7a9f3b1d7887907a51c339ec532095ec1423cd790533616de87129df70d26fe34064bef0e6f093ad8771c407992d0dfc4f8e0aada733028e960
SSDEEP

786432:wPxC/j8QjiFJCenX2+X0WRWWyfQIWV8RGLmK4gh1BlYOc2mH5v:aAj4JCEXjydWiGLmLuWOcBZ

Score

10^/10

bazarbackdoor backdoor bootkit persistence

Static task

static1

Behavioral task

behavioral1

Sample

091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe

Resource

win7-20220812-en

bazarbackdoor backdoor bootkit persistence

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c.exe

Resource

win10v2004-20220901-en

bazarbackdoor backdoor bootkit persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c
- Size
  
  41.3MB
- MD5
  
  e25c7282f21266df76e69d925a0d0d3f
- SHA1
  
  1900f2d4aafc22c57b0c111fe0c000d71a72f0e3
- SHA256
  
  091c42ee0e407b9f2b849cb6003f97be6d27c06026ccadcc4100ae6e88744c8c
- SHA512
  
  a116d9fc6403d7a9f3b1d7887907a51c339ec532095ec1423cd790533616de87129df70d26fe34064bef0e6f093ad8771c407992d0dfc4f8e0aada733028e960
- SSDEEP
  
  786432:wPxC/j8QjiFJCenX2+X0WRWWyfQIWV8RGLmK4gh1BlYOc2mH5v:aAj4JCEXjydWiGLmLuWOcBZ
Score

10^/10

bazarbackdoor backdoor bootkit persistence
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazar/Team9 Backdoor payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarbackdoorbackdoorbootkitpersistence

behavioral2

bazarbackdoorbackdoorbootkitpersistence

© 2018-2024

Terms | Privacy