Analysis
-
max time kernel
105s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
26-02-2023 01:34
Static task
static1
Behavioral task
behavioral1
Sample
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
Resource
win10v2004-20230220-en
General
-
Target
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
-
Size
290KB
-
MD5
e28ae2f26a165ab891248f17b064f2e7
-
SHA1
8ac67ed569b4675411c54ac05768eefff853854f
-
SHA256
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
-
SHA512
ba26ca25af0f1a5a5d4ec9c7fa1ba64e395d4c0a44b7803399df7dd50497addaa01ebf65d691c1f0a0a87462f0216aea60b9f4a6b3bffdc7c9743dc9e667c5b6
-
SSDEEP
6144:lCyhivbmvCsJY0SsBGUQIhUAZKlmRaHYEBB4HFUXL06Sh:l085JYN+DhUACEubBuHFg
Malware Config
Extracted
bazarloader
144.217.50.242
5.39.63.103
94.140.113.53
185.163.45.95
reddew28c.bazar
bluehail.bazar
whitestorm9p.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.execmd.exedescription pid process target process PID 5060 wrote to memory of 4328 5060 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe cmd.exe PID 5060 wrote to memory of 4328 5060 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe cmd.exe PID 4328 wrote to memory of 1096 4328 cmd.exe choice.exe PID 4328 wrote to memory of 1096 4328 cmd.exe choice.exe PID 4328 wrote to memory of 960 4328 cmd.exe 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe PID 4328 wrote to memory of 960 4328 cmd.exe 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe"C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c choice /n /c y /d y /t 8 & start "" "C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe" ZF3bI6aD VI0rr2aG & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /n /c y /d y /t 83⤵
-
C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe"C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe" ZF3bI6aD VI0rr2aG3⤵