Analysis
-
max time kernel
600s -
max time network
603s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
25-10-2022 14:49
Static task
static1
Behavioral task
behavioral1
Sample
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
Resource
win10v2004-20220812-en
General
-
Target
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
-
Size
580KB
-
MD5
b7d245ea334e2c1818cb757d7ef1f592
-
SHA1
c7411c8440593fac4b576b3d89504bf94b04ed1d
-
SHA256
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b
-
SHA512
daf198057de8563b81014619308a405455a2a12b6dd0f9c02042614d10a7c6a4a190f610634089d96b141f710e19fd3627cdfa70f133e4d54078ad6bf3870acb
-
SSDEEP
6144:OJu7yDrEe9+FHM1sYr0JrU4ev9ZOh2At15jUR2EOjvktrYMZBxQTSAfGKEw:OJvD/Ys1l0JfW9H8C25jvMDZBxQ
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
Processes:
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exeflow ioc 78 zirabuo.bazar 77 zirabuo.bazar 94 zirabuo.bazar 99 zirabuo.bazar 64 zirabuo.bazar 82 zirabuo.bazar 89 zirabuo.bazar 103 zirabuo.bazar 115 zirabuo.bazar 88 zirabuo.bazar 95 zirabuo.bazar 118 zirabuo.bazar 56 zirabuo.bazar 63 zirabuo.bazar 68 zirabuo.bazar 76 zirabuo.bazar 84 zirabuo.bazar 124 zirabuo.bazar 70 zirabuo.bazar 117 zirabuo.bazar 123 zirabuo.bazar 121 zirabuo.bazar 59 zirabuo.bazar 65 zirabuo.bazar 104 zirabuo.bazar 108 zirabuo.bazar 109 zirabuo.bazar 93 zirabuo.bazar 98 zirabuo.bazar 120 zirabuo.bazar 67 zirabuo.bazar 72 zirabuo.bazar 73 zirabuo.bazar 85 zirabuo.bazar 92 zirabuo.bazar 119 zirabuo.bazar 125 zirabuo.bazar 74 zirabuo.bazar 87 zirabuo.bazar 102 zirabuo.bazar 111 zirabuo.bazar 113 zirabuo.bazar 79 zirabuo.bazar 100 zirabuo.bazar 101 zirabuo.bazar 105 zirabuo.bazar 69 zirabuo.bazar 71 zirabuo.bazar 96 zirabuo.bazar 97 zirabuo.bazar 83 zirabuo.bazar 106 zirabuo.bazar 114 zirabuo.bazar 90 zirabuo.bazar 91 zirabuo.bazar 112 zirabuo.bazar Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe 57 zirabuo.bazar 75 zirabuo.bazar 80 zirabuo.bazar 86 zirabuo.bazar 116 zirabuo.bazar 122 zirabuo.bazar HTTP URL 44 https://85.143.221.85/api/v134 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 58 zirabuo.bazar 111 zirabuo.bazar 64 zirabuo.bazar 70 zirabuo.bazar 83 zirabuo.bazar 93 zirabuo.bazar 97 zirabuo.bazar 123 zirabuo.bazar 66 zirabuo.bazar 82 zirabuo.bazar 104 zirabuo.bazar 118 zirabuo.bazar 119 zirabuo.bazar 60 zirabuo.bazar 89 zirabuo.bazar 115 zirabuo.bazar 80 zirabuo.bazar 110 zirabuo.bazar 113 zirabuo.bazar 125 zirabuo.bazar 71 zirabuo.bazar 75 zirabuo.bazar 78 zirabuo.bazar 81 zirabuo.bazar 85 zirabuo.bazar 100 zirabuo.bazar 116 zirabuo.bazar 57 zirabuo.bazar 103 zirabuo.bazar 117 zirabuo.bazar 121 zirabuo.bazar 72 zirabuo.bazar 94 zirabuo.bazar 106 zirabuo.bazar 120 zirabuo.bazar 67 zirabuo.bazar 68 zirabuo.bazar 73 zirabuo.bazar 86 zirabuo.bazar 92 zirabuo.bazar 105 zirabuo.bazar 69 zirabuo.bazar 77 zirabuo.bazar 79 zirabuo.bazar 90 zirabuo.bazar 109 zirabuo.bazar 124 zirabuo.bazar HTTP URL 44 https://85.143.221.85/api/v134 62 zirabuo.bazar 101 zirabuo.bazar 107 zirabuo.bazar 59 zirabuo.bazar 61 zirabuo.bazar 108 zirabuo.bazar 122 zirabuo.bazar 63 zirabuo.bazar 65 zirabuo.bazar 87 zirabuo.bazar 95 zirabuo.bazar 98 zirabuo.bazar 102 zirabuo.bazar 56 zirabuo.bazar 74 zirabuo.bazar 84 zirabuo.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 91.217.137.37 Destination IP 212.24.98.54 Destination IP 162.248.241.94 Destination IP 172.98.193.42 Destination IP 50.3.82.215 Destination IP 77.73.68.161 Destination IP 172.104.136.243 Destination IP 185.164.136.225 Destination IP 82.141.39.32 Destination IP 188.165.200.156 Destination IP 217.12.210.54 Destination IP 91.217.137.37 Destination IP 185.164.136.225 Destination IP 66.70.211.246 Destination IP 147.135.185.78 Destination IP 51.254.25.115 Destination IP 82.141.39.32 Destination IP 104.238.186.189 Destination IP 162.248.241.94 Destination IP 31.171.251.118 Destination IP 185.208.208.141 Destination IP 158.69.239.167 Destination IP 82.141.39.32 Destination IP 81.2.241.148 Destination IP 147.135.185.78 Destination IP 217.12.210.54 Destination IP 193.183.98.66 Destination IP 104.37.195.178 Destination IP 91.217.137.37 Destination IP 192.52.166.110 Destination IP 51.254.25.115 Destination IP 192.52.166.110 Destination IP 45.63.124.65 Destination IP 147.135.185.78 Destination IP 46.28.207.199 Destination IP 128.52.130.209 Destination IP 45.63.124.65 Destination IP 96.47.228.108 Destination IP 185.117.154.144 Destination IP 185.121.177.177 Destination IP 104.37.195.178 Destination IP 45.71.112.70 Destination IP 138.197.25.214 Destination IP 192.99.85.244 Destination IP 139.59.208.246 Destination IP 178.17.170.179 Destination IP 46.101.70.183 Destination IP 128.52.130.209 Destination IP 94.177.171.127 Destination IP 87.98.175.85 Destination IP 178.17.170.179 Destination IP 104.37.195.178 Destination IP 82.196.9.45 Destination IP 51.255.48.78 Destination IP 185.164.136.225 Destination IP 185.164.136.225 Destination IP 63.231.92.27 Destination IP 138.197.25.214 Destination IP 185.208.208.141 Destination IP 147.135.185.78 Destination IP 89.35.39.64 Destination IP 158.69.239.167 Destination IP 167.99.153.82 Destination IP 130.255.78.223 -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exepid process 3916 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe 3916 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe 4212 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe 4212 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"1⤵
- BazarBackdoor
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exeC:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe {1D2309A1-135F-42EF-B0DA-31D890EB3B03}1⤵
- Suspicious use of SetWindowsHookEx