bazarbackdoor | 7ac2e66dceae21d1f85037ce35960df034e0b47b142896521d7780926445eb50

General

Target

1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
Size

580KB
MD5

b7d245ea334e2c1818cb757d7ef1f592
SHA1

c7411c8440593fac4b576b3d89504bf94b04ed1d
SHA256

1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b
SHA512

daf198057de8563b81014619308a405455a2a12b6dd0f9c02042614d10a7c6a4a190f610634089d96b141f710e19fd3627cdfa70f133e4d54078ad6bf3870acb
SSDEEP

6144:OJu7yDrEe9+FHM1sYr0JrU4ev9ZOh2At15jUR2EOjvktrYMZBxQTSAfGKEw:OJvD/Ys1l0JfW9H8C25jvMDZBxQ

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

Processes:

1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

flow	ioc
78	zirabuo.bazar
77	zirabuo.bazar
94	zirabuo.bazar
99	zirabuo.bazar
64	zirabuo.bazar
82	zirabuo.bazar
89	zirabuo.bazar
103	zirabuo.bazar
115	zirabuo.bazar
88	zirabuo.bazar
95	zirabuo.bazar
118	zirabuo.bazar
56	zirabuo.bazar
63	zirabuo.bazar
68	zirabuo.bazar
76	zirabuo.bazar
84	zirabuo.bazar
124	zirabuo.bazar
70	zirabuo.bazar
117	zirabuo.bazar
123	zirabuo.bazar
121	zirabuo.bazar
59	zirabuo.bazar
65	zirabuo.bazar
104	zirabuo.bazar
108	zirabuo.bazar
109	zirabuo.bazar
93	zirabuo.bazar
98	zirabuo.bazar
120	zirabuo.bazar
67	zirabuo.bazar
72	zirabuo.bazar
73	zirabuo.bazar
85	zirabuo.bazar
92	zirabuo.bazar
119	zirabuo.bazar
125	zirabuo.bazar
74	zirabuo.bazar
87	zirabuo.bazar
102	zirabuo.bazar
111	zirabuo.bazar
113	zirabuo.bazar
79	zirabuo.bazar
100	zirabuo.bazar
101	zirabuo.bazar
105	zirabuo.bazar
69	zirabuo.bazar
71	zirabuo.bazar
96	zirabuo.bazar
97	zirabuo.bazar
83	zirabuo.bazar
106	zirabuo.bazar
114	zirabuo.bazar
90	zirabuo.bazar
91	zirabuo.bazar
112	zirabuo.bazar
Key created	\REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root	1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
57	zirabuo.bazar
75	zirabuo.bazar
80	zirabuo.bazar
86	zirabuo.bazar
116	zirabuo.bazar
122	zirabuo.bazar
HTTP URL	44	https://85.143.221.85/api/v134

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
58	zirabuo.bazar
111	zirabuo.bazar
64	zirabuo.bazar
70	zirabuo.bazar
83	zirabuo.bazar
93	zirabuo.bazar
97	zirabuo.bazar
123	zirabuo.bazar
66	zirabuo.bazar
82	zirabuo.bazar
104	zirabuo.bazar
118	zirabuo.bazar
119	zirabuo.bazar
60	zirabuo.bazar
89	zirabuo.bazar
115	zirabuo.bazar
80	zirabuo.bazar
110	zirabuo.bazar
113	zirabuo.bazar
125	zirabuo.bazar
71	zirabuo.bazar
75	zirabuo.bazar
78	zirabuo.bazar
81	zirabuo.bazar
85	zirabuo.bazar
100	zirabuo.bazar
116	zirabuo.bazar
57	zirabuo.bazar
103	zirabuo.bazar
117	zirabuo.bazar
121	zirabuo.bazar
72	zirabuo.bazar
94	zirabuo.bazar
106	zirabuo.bazar
120	zirabuo.bazar
67	zirabuo.bazar
68	zirabuo.bazar
73	zirabuo.bazar
86	zirabuo.bazar
92	zirabuo.bazar
105	zirabuo.bazar
69	zirabuo.bazar
77	zirabuo.bazar
79	zirabuo.bazar
90	zirabuo.bazar
109	zirabuo.bazar
124	zirabuo.bazar
HTTP URL	44	https://85.143.221.85/api/v134
62	zirabuo.bazar
101	zirabuo.bazar
107	zirabuo.bazar
59	zirabuo.bazar
61	zirabuo.bazar
108	zirabuo.bazar
122	zirabuo.bazar
63	zirabuo.bazar
65	zirabuo.bazar
87	zirabuo.bazar
95	zirabuo.bazar
98	zirabuo.bazar
102	zirabuo.bazar
56	zirabuo.bazar
74	zirabuo.bazar
84	zirabuo.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	91.217.137.37
Destination IP	212.24.98.54
Destination IP	162.248.241.94
Destination IP	172.98.193.42
Destination IP	50.3.82.215
Destination IP	77.73.68.161
Destination IP	172.104.136.243
Destination IP	185.164.136.225
Destination IP	82.141.39.32
Destination IP	188.165.200.156
Destination IP	217.12.210.54
Destination IP	91.217.137.37
Destination IP	185.164.136.225
Destination IP	66.70.211.246
Destination IP	147.135.185.78
Destination IP	51.254.25.115
Destination IP	82.141.39.32
Destination IP	104.238.186.189
Destination IP	162.248.241.94
Destination IP	31.171.251.118
Destination IP	185.208.208.141
Destination IP	158.69.239.167
Destination IP	82.141.39.32
Destination IP	81.2.241.148
Destination IP	147.135.185.78
Destination IP	217.12.210.54
Destination IP	193.183.98.66
Destination IP	104.37.195.178
Destination IP	91.217.137.37
Destination IP	192.52.166.110
Destination IP	51.254.25.115
Destination IP	192.52.166.110
Destination IP	45.63.124.65
Destination IP	147.135.185.78
Destination IP	46.28.207.199
Destination IP	128.52.130.209
Destination IP	45.63.124.65
Destination IP	96.47.228.108
Destination IP	185.117.154.144
Destination IP	185.121.177.177
Destination IP	104.37.195.178
Destination IP	45.71.112.70
Destination IP	138.197.25.214
Destination IP	192.99.85.244
Destination IP	139.59.208.246
Destination IP	178.17.170.179
Destination IP	46.101.70.183
Destination IP	128.52.130.209
Destination IP	94.177.171.127
Destination IP	87.98.175.85
Destination IP	178.17.170.179
Destination IP	104.37.195.178
Destination IP	82.196.9.45
Destination IP	51.255.48.78
Destination IP	185.164.136.225
Destination IP	185.164.136.225
Destination IP	63.231.92.27
Destination IP	138.197.25.214
Destination IP	185.208.208.141
Destination IP	147.135.185.78
Destination IP	89.35.39.64
Destination IP	158.69.239.167
Destination IP	167.99.153.82
Destination IP	130.255.78.223

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

pid	process
3916	1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
3916	1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
4212	1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
4212	1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"
1⤵
- BazarBackdoor
- Suspicious use of SetWindowsHookEx
PID:3916

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe {1D2309A1-135F-42EF-B0DA-31D890EB3B03}
1⤵
- Suspicious use of SetWindowsHookEx
PID:4212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3916-132-0x0000000003D30000-0x0000000003D60000-memory.dmp

Filesize
192KB

Download
memory/3916-139-0x00000000020B0000-0x00000000020DB000-memory.dmp

Filesize
172KB

Download
memory/4212-140-0x0000000002220000-0x0000000002250000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads