Overview

overview

10

Static

static

1

d0e608a7a0...b3.dll

windows7-x64

10

d0e608a7a0...b3.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-03-2023 11:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3.dll

  • Size

    1.2MB

  • MD5

    33fe9450c17582b6968ea1a507651e77

  • SHA1

    2cd4a530ccdae728d9278025e344e931d2dc6703

  • SHA256

    d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3

  • SHA512

    a4fdcde472a64ba56f1cf8ceeaba5d3c20e9c36c0d71c5fce910c2774667f774753047df20fea369ff431db90b239822a57b8dc824351ae8623c8ff40849af76

  • SSDEEP

    24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrE:8+n3Hthqm9qgkE

Score
10/10
bazarloaderdropperloader

Malware Config

Signatures

  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Bazar/Team9 Loader payload 3 IoCs
  • Blocklisted process makes network request 13 IoCs
  • Tries to connect to .bazar domain 5 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Unexpected DNS network traffic destination 5 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3.dll,#1
    1⤵
    • Blocklisted process makes network request
    PID:2008

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2008-133-0x00000165EA380000-0x00000165EA3BB000-memory.dmp
    Filesize

    236KB

    Download
  • memory/2008-134-0x00007FFB361E0000-0x00007FFB36362000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/2008-135-0x00000165EA380000-0x00000165EA3BB000-memory.dmp
    Filesize

    236KB

    Download