Analysis
-
max time kernel
600s -
max time network
603s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2022 21:56
Static task
static1
Behavioral task
behavioral1
Sample
35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780.exe
Resource
win10v2004-20220812-en
General
-
Target
35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780.exe
-
Size
336KB
-
MD5
c6502d4dd27a434167686bfa4d183e89
-
SHA1
bddbceefe4185693ef9015d0a535eb7e034b9ec3
-
SHA256
35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780
-
SHA512
e7958bbb238f6e484683e876d42e15ebea04ce00cedb7d377aec77eb008e4389f7e91454d9503ed5558c59c2bfbaf71530c8970e1e3a7ebe032ca8ba699c3ed9
-
SSDEEP
6144:xgITgAwvbsnWEwqVCA1jxlK11wdkWyloi/DyO:xgr/EwSCA1jXK1im/DyO
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3628-132-0x0000000000800000-0x000000000081F000-memory.dmp BazarLoaderVar1 behavioral2/memory/3628-136-0x00000000020E0000-0x00000000020FC000-memory.dmp BazarLoaderVar1 behavioral2/memory/3628-140-0x00000000004E0000-0x00000000004FC000-memory.dmp BazarLoaderVar1 -
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 538 exomibel.bazar 758 izidtoib.bazar 1576 ydekudon.bazar 2109 vuemonud.bazar 756 izidtoib.bazar 918 uccutoib.bazar 936 uccutoib.bazar 1714 licaibso.bazar 2152 ydidonso.bazar 1089 fuibonon.bazar 1122 fuuhtoso.bazar 1293 huwyibto.bazar 1311 ufwyibel.bazar 1395 biedelon.bazar 1468 tywyonel.bazar 1604 ufonibso.bazar 2417 ydudonud.bazar 292 yduhudib.bazar 769 aqtotoud.bazar 2388 ehuhibib.bazar 1987 owtotoud.bazar 388 biywtoud.bazar 390 biywtoud.bazar 858 tuemelon.bazar 1346 fuudtoib.bazar 1362 fuudtoib.bazar 1518 fusoibel.bazar 1702 licaibso.bazar 239 eheludso.bazar 1471 tywyonel.bazar 1444 ucwyelto.bazar 150 vuononon.bazar 607 fuomsoto.bazar 784 aqtotoud.bazar 860 tuemelon.bazar 954 ufcaibel.bazar 966 ufcaibel.bazar 1078 fuibonon.bazar 1893 izeludel.bazar 1949 tyemelso.bazar 2195 iqwyelel.bazar 2287 tyewudto.bazar 2295 tyewudto.bazar 2346 fuacelud.bazar 1371 biedelon.bazar 2276 tyewudto.bazar 218 uftosoib.bazar 999 liwyudel.bazar 1368 biedelon.bazar 1835 iqududso.bazar 2031 uccuonso.bazar 1926 ypwyonib.bazar 423 ufomonto.bazar 427 ufomonto.bazar 615 yponsoud.bazar 634 yponsoud.bazar 768 aqtotoud.bazar 1642 etcusoon.bazar 1848 iqududso.bazar 1963 tyemelso.bazar 261 agomibso.bazar 1016 huonelud.bazar 1180 tyidonud.bazar 361 liacudud.bazar -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 142.4.205.47 Destination IP 172.98.193.42 Destination IP 185.164.136.225 Destination IP 147.135.185.78 Destination IP 208.67.222.222 Destination IP 51.255.211.146 Destination IP 162.248.241.94 Destination IP 208.67.222.222 Destination IP 176.126.70.119 Destination IP 167.99.153.82 Destination IP 89.35.39.64 Destination IP 185.121.177.177 Destination IP 142.4.205.47 Destination IP 208.67.222.222 Destination IP 169.239.202.202 Destination IP 77.73.68.161 Destination IP 69.164.196.21 Destination IP 45.63.124.65 Destination IP 82.141.39.32 Destination IP 217.12.210.54 Destination IP 142.4.205.47 Destination IP 77.73.68.161 Destination IP 69.164.196.21 Destination IP 208.67.222.222 Destination IP 45.63.124.65 Destination IP 176.126.70.119 Destination IP 167.99.153.82 Destination IP 163.172.185.51 Destination IP 163.172.185.51 Destination IP 167.99.153.82 Destination IP 82.141.39.32 Destination IP 185.164.136.225 Destination IP 82.141.39.32 Destination IP 35.196.105.24 Destination IP 162.248.241.94 Destination IP 167.99.153.82 Destination IP 172.104.136.243 Destination IP 89.35.39.64 Destination IP 51.255.211.146 Destination IP 35.196.105.24 Destination IP 82.141.39.32 Destination IP 45.32.160.206 Destination IP 176.126.70.119 Destination IP 82.141.39.32 Destination IP 35.196.105.24 Destination IP 45.63.124.65 Destination IP 172.98.193.42 Destination IP 139.59.23.241 Destination IP 185.164.136.225 Destination IP 167.99.153.82 Destination IP 5.135.183.146 Destination IP 94.177.171.127 Destination IP 142.4.204.111 Destination IP 147.135.185.78 Destination IP 185.164.136.225 Destination IP 147.135.185.78 Destination IP 45.63.124.65 Destination IP 51.255.211.146 Destination IP 69.164.196.21 Destination IP 51.255.211.146 Destination IP 172.104.136.243 Destination IP 176.126.70.119 Destination IP 185.121.177.177 Destination IP 167.99.153.82 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780.exepid process 3628 35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780.exe 3628 35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780.exe