bazarbackdoor | 14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2 | Triage

Submit
Reports

Overview

overview

Static

static

14a6761696...d2.exe

windows7-x64

14a6761696...d2.exe

windows10-2004-x64

Sharing

General

Target

14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2
Size

42.0MB
Sample

221007-j6fxdacbek
MD5

72ca9af6a3d2af7560dc2b29dba4665f
SHA1

278d6e7c55894d25bb4ebd23215ebd7d78b408e2
SHA256

14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2
SHA512

406801496d7c26475e9b498f6363555e64344b5c0f3ff5bf9222c00310076759a35e52bc912e60305c95f479e2c8c4a34e667a4a3c77d087f2583368b43b2c89
SSDEEP

786432:Skoc/4rmLIVL0rG+HhqPw4n+4oJ4n5SMb7xcEI9pYQOMcW+DF+9A6ommn:SkZ/xxGIhqPPo+Soxq9pY/Pj+9AP

Score

10^/10

bazarbackdoor backdoor bootkit persistence

Static task

static1

Behavioral task

behavioral1

Sample

14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe

Resource

win7-20220901-en

bazarbackdoor backdoor bootkit persistence

windows7-x64

11 signatures

150 seconds

Behavioral task

behavioral2

Sample

14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2.exe

Resource

win10v2004-20220812-en

bazarbackdoor backdoor bootkit persistence

windows10-2004-x64

11 signatures

150 seconds

Malware Config

Targets

- Target
  
  14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2
- Size
  
  42.0MB
- MD5
  
  72ca9af6a3d2af7560dc2b29dba4665f
- SHA1
  
  278d6e7c55894d25bb4ebd23215ebd7d78b408e2
- SHA256
  
  14a67616965e7a5aa56509a4d7bb727cdd3d41390d854695be84cda61fd588d2
- SHA512
  
  406801496d7c26475e9b498f6363555e64344b5c0f3ff5bf9222c00310076759a35e52bc912e60305c95f479e2c8c4a34e667a4a3c77d087f2583368b43b2c89
- SSDEEP
  
  786432:Skoc/4rmLIVL0rG+HhqPw4n+4oJ4n5SMb7xcEI9pYQOMcW+DF+9A6ommn:SkZ/xxGIhqPPo+Soxq9pY/Pj+9AP
Score

10^/10

bazarbackdoor backdoor bootkit persistence
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Bazar/Team9 Backdoor payload
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarbackdoorbackdoorbootkitpersistence

behavioral2

bazarbackdoorbackdoorbootkitpersistence

© 2018-2024

Terms | Privacy