Malware Analysis Report

2025-01-02 12:03

Sample ID 221025-rwjvaachg9
Target 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.zip
SHA256 7ac2e66dceae21d1f85037ce35960df034e0b47b142896521d7780926445eb50
Tags
bazarbackdoor backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7ac2e66dceae21d1f85037ce35960df034e0b47b142896521d7780926445eb50

Threat Level: Known bad

The file 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.zip was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor

BazarBackdoor

Tries to connect to .bazar domain

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-10-25 14:32

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-25 14:32

Reported

2022-10-25 14:35

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe N/A
HTTP URL https://85.143.221.85/api/v134 N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
HTTP URL https://85.143.221.85/api/v134 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe {8F61E2C1-16BA-44C7-BE5E-8EB6137830B8}

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
US 195.123.241.68:443 tcp
NL 142.250.179.142:443 google.com tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.175:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 195.123.241.175:443 tcp
US 52.168.117.170:443 tcp
US 195.123.241.175:443 tcp
US 93.184.221.240:80 tcp
RU 85.143.221.85:443 85.143.221.85 tcp
RU 82.146.37.128:443 tcp
RU 82.146.37.128:443 tcp
RU 82.146.37.128:443 tcp
UZ 45.138.158.41:443 tcp
UZ 45.138.158.41:443 tcp
UZ 45.138.158.41:443 tcp
GB 37.220.6.126:443 tcp

Files

memory/544-132-0x0000000002100000-0x0000000002130000-memory.dmp

memory/544-139-0x0000000000610000-0x000000000063B000-memory.dmp

memory/4708-140-0x00000000020C0000-0x00000000020F0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-10-25 14:32

Reported

2022-10-25 14:35

Platform

win7-20220901-en

Max time kernel

130s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe {35B42401-D205-4A5C-8F5F-B8DB86EED8C8}

Network

Country Destination Domain Proto
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp

Files

memory/1696-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-10-25 14:32

Reported

2022-10-25 14:35

Platform

win10v2004-20220812-en

Max time kernel

131s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe N/A
HTTP URL https://85.143.221.85/api/v134 N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
HTTP URL https://85.143.221.85/api/v134 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe {7A35155D-7D35-42DA-9F1A-FE5B303EDD8F}

Network

Country Destination Domain Proto
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.175:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 195.123.241.175:443 tcp
IE 13.69.239.72:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 195.123.241.175:443 tcp
RU 85.143.221.85:443 85.143.221.85 tcp
RU 82.146.37.128:443 tcp
RU 82.146.37.128:443 tcp
RU 82.146.37.128:443 tcp
UZ 45.138.158.41:443 tcp
UZ 45.138.158.41:443 tcp
UZ 45.138.158.41:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-25 14:32

Reported

2022-10-25 14:35

Platform

win7-20220812-en

Max time kernel

132s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe

C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe {A624047B-9C22-4A18-A38C-62BA89EFF548}

Network

Country Destination Domain Proto
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 8.8.8.8:53 google.com udp
NL 142.250.179.142:443 google.com tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.68:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp
US 195.123.241.175:443 tcp

Files

memory/1388-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp

memory/1388-55-0x00000000003B0000-0x00000000003E0000-memory.dmp

memory/1388-62-0x0000000000350000-0x000000000037B000-memory.dmp

memory/652-64-0x0000000000370000-0x00000000003A0000-memory.dmp