General
-
Target
Roblox_installer_38903555.msi.7z
-
Size
3.4MB
-
Sample
230224-zamytaag36
-
MD5
6c78e5e988d250c927565ce306143d87
-
SHA1
27b458342a60936ef489d076f5ab8ce837e9492f
-
SHA256
96f064469322b8361b430624d9e06885c7244c25341ad5b7b5af266705983a65
-
SHA512
44ccfd3cdc4cb48d2b38eedaccfa71154524f0f566540dc0a620988fe42544dd70adfe6da0c316d8764b8f0cfd1728b9fd716139315f456e173fb1ba420d5b33
-
SSDEEP
98304:tonjv75bc0ZGA3EVMVCNSm/CLQq86320kj:tMjTtDgCLP86
Malware Config
Targets
-
-
Target
Roblox_installer_38903555.msi
-
Size
8.8MB
-
MD5
caa9a8ab5daaf0dfe2f2ed89b4eaa3c2
-
SHA1
32732289875d0e0c3c637154652d6398321aa148
-
SHA256
442fb8ec2ae90d2a97a736703ff36514311c4919180de8c84fc0d228e1b77f2c
-
SHA512
716324e84fa4574db86cc70c002cdcc701a898fa2a24db18dfab86932aa4b8a3b5e35898b383567624bee37049609e3b3b6eb4ac8eab02700673db787507bcfb
-
SSDEEP
98304:cY/QuAaeIMInShWhxjxMpcY/uPAueEb9Vr3rDNebDpRFoEjpcYld0Aoh7ehUsuFu:HShWhxFuKbLrNeblo1e
Score10/10-
BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Bazar/Team9 Backdoor payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Registers COM server for autorun
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-