Analysis Overview
SHA256
7ac2e66dceae21d1f85037ce35960df034e0b47b142896521d7780926445eb50
Threat Level: Known bad
The file 1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.zip was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Tries to connect to .bazar domain
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-10-25 14:32
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-10-25 14:32
Reported
2022-10-25 14:35
Platform
win10v2004-20220812-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
BazarBackdoor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe | N/A |
| HTTP URL | https://85.143.221.85/api/v134 | N/A | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| HTTP URL | https://85.143.221.85/api/v134 | N/A | N/A |
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe {8F61E2C1-16BA-44C7-BE5E-8EB6137830B8}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| US | 195.123.241.68:443 | tcp | |
| NL | 142.250.179.142:443 | google.com | tcp |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| RU | 85.143.221.85:443 | 85.143.221.85 | tcp |
| RU | 82.146.37.128:443 | tcp | |
| RU | 82.146.37.128:443 | tcp | |
| RU | 82.146.37.128:443 | tcp | |
| UZ | 45.138.158.41:443 | tcp | |
| UZ | 45.138.158.41:443 | tcp | |
| UZ | 45.138.158.41:443 | tcp | |
| GB | 37.220.6.126:443 | tcp |
Files
memory/544-132-0x0000000002100000-0x0000000002130000-memory.dmp
memory/544-139-0x0000000000610000-0x000000000063B000-memory.dmp
memory/4708-140-0x00000000020C0000-0x00000000020F0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2022-10-25 14:32
Reported
2022-10-25 14:35
Platform
win7-20220901-en
Max time kernel
130s
Max time network
144s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe {35B42401-D205-4A5C-8F5F-B8DB86EED8C8}
Network
| Country | Destination | Domain | Proto |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp |
Files
memory/1696-54-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2022-10-25 14:32
Reported
2022-10-25 14:35
Platform
win10v2004-20220812-en
Max time kernel
131s
Max time network
149s
Command Line
Signatures
BazarBackdoor
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe | N/A |
| HTTP URL | https://85.143.221.85/api/v134 | N/A | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| HTTP URL | https://85.143.221.85/api/v134 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe"
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b_unpacked.exe {7A35155D-7D35-42DA-9F1A-FE5B303EDD8F}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| RU | 85.143.221.85:443 | 85.143.221.85 | tcp |
| RU | 82.146.37.128:443 | tcp | |
| RU | 82.146.37.128:443 | tcp | |
| RU | 82.146.37.128:443 | tcp | |
| UZ | 45.138.158.41:443 | tcp | |
| UZ | 45.138.158.41:443 | tcp | |
| UZ | 45.138.158.41:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2022-10-25 14:32
Reported
2022-10-25 14:35
Platform
win7-20220812-en
Max time kernel
132s
Max time network
145s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
Processes
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
"C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe"
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe
C:\Users\Admin\AppData\Local\Temp\1a19ad73601c5636654ea6b3167caba9de1c572ab2632b87ce9d702d0dcacf0b.exe {A624047B-9C22-4A18-A38C-62BA89EFF548}
Network
| Country | Destination | Domain | Proto |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.68:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp | |
| US | 195.123.241.175:443 | tcp |
Files
memory/1388-54-0x000007FEFC141000-0x000007FEFC143000-memory.dmp
memory/1388-55-0x00000000003B0000-0x00000000003E0000-memory.dmp
memory/1388-62-0x0000000000350000-0x000000000037B000-memory.dmp
memory/652-64-0x0000000000370000-0x00000000003A0000-memory.dmp