General

  • Target

    iTunesSetup64BitsPorLimonTouchYT.exe

  • Size

    264.9MB

  • Sample

    230310-tryhzsgc5w

  • MD5

    f50aeff9ee0031bfb28c860ea2c0f3ad

  • SHA1

    7b317da13c3d0e463f73c27123a69379c4dbfd9d

  • SHA256

    666dcc84d26ea7ba79228f744f9caeac1192a9f274a5e795cc9e9352d41d80f3

  • SHA512

    4dddad8a53a09dc97b55c2d091cfc7f743a73398632301d578c53d1d7d32941b79a6f2eea6af5fa260f2e8ff767bc98aa73abda5a5f10964513462e792ce3342

  • SSDEEP

    6291456:rvKMpdD1mWqV32SJu8bkTiV0mIskk1oxic34VY3OyA:rv5q5bvPTk10mO

Malware Config

Targets

    • Target

      iTunesSetup64BitsPorLimonTouchYT.exe

    • Size

      264.9MB

    • MD5

      f50aeff9ee0031bfb28c860ea2c0f3ad

    • SHA1

      7b317da13c3d0e463f73c27123a69379c4dbfd9d

    • SHA256

      666dcc84d26ea7ba79228f744f9caeac1192a9f274a5e795cc9e9352d41d80f3

    • SHA512

      4dddad8a53a09dc97b55c2d091cfc7f743a73398632301d578c53d1d7d32941b79a6f2eea6af5fa260f2e8ff767bc98aa73abda5a5f10964513462e792ce3342

    • SSDEEP

      6291456:rvKMpdD1mWqV32SJu8bkTiV0mIskk1oxic34VY3OyA:rv5q5bvPTk10mO

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Modifies firewall policy service

    • Bazar/Team9 Backdoor payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Registers COM server for autorun

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v6

Tasks