bazarbackdoor | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6 | Triage

Submit
Reports

Overview

overview

Static

static

jre-8u351-...64.exe

windows10-2004-x64

Resubmissions

17-11-2022 16:29

221117-tzee3sah7x 10

17-11-2022 16:19

221117-tsnp6seh65 10

Sharing

General

Target

jre-8u351-windows-x64.exe
Size

84.5MB
Sample

221117-tzee3sah7x
MD5

7542ec421a2f6e90751e8b64c22e0542
SHA1

d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256

188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512

8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc
SSDEEP

1572864:ugyqUvFZpZDQBTgcJ5pWuqHRAOLut/+EDSSXXfDS2ZVw:ugzUnvDHq5pW1xAwutGEDxXXfGP

Score

10^/10

bazarbackdoor adware backdoor persistence stealer upx

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

jre-8u351-windows-x64.exe

Resource

win10v2004-20221111-en

bazarbackdoor adware backdoor persistence stealer upx

windows10-2004-x64

27 signatures

1800 seconds

Malware Config

Targets

- Target
  
  jre-8u351-windows-x64.exe
- Size
  
  84.5MB
- MD5
  
  7542ec421a2f6e90751e8b64c22e0542
- SHA1
  
  d207d221a28ede5c2c8415f82c555989aa7068ba
- SHA256
  
  188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
- SHA512
  
  8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc
- SSDEEP
  
  1572864:ugyqUvFZpZDQBTgcJ5pWuqHRAOLut/+EDSSXXfDS2ZVw:ugzUnvDHq5pW1xAwutGEDxXXfGP
Score

10^/10

bazarbackdoor adware backdoor persistence stealer upx
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Bazar/Team9 Backdoor payload
- Blocklisted process makes network request
- Executes dropped EXE
- Registers COM server for autorun
  persistence
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Installs/modifies Browser Helper Object
  BHOs are DLL modules which act as plugins for Internet Explorer.
  stealer adware
- Drops file in System32 directory
behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Browser Extensions

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarbackdooradwarebackdoorpersistencestealerupx

© 2018-2024

Terms | Privacy