Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
23-03-2023 11:33
Static task
static1
Behavioral task
behavioral1
Sample
d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3.dll
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3.dll
Resource
win10v2004-20230220-en
General
-
Target
d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3.dll
-
Size
1.2MB
-
MD5
33fe9450c17582b6968ea1a507651e77
-
SHA1
2cd4a530ccdae728d9278025e344e931d2dc6703
-
SHA256
d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3
-
SHA512
a4fdcde472a64ba56f1cf8ceeaba5d3c20e9c36c0d71c5fce910c2774667f774753047df20fea369ff431db90b239822a57b8dc824351ae8623c8ff40849af76
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrE:8+n3Hthqm9qgkE
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2008-133-0x00000165EA380000-0x00000165EA3BB000-memory.dmp BazarLoaderVar5 behavioral2/memory/2008-134-0x00007FFB361E0000-0x00007FFB36362000-memory.dmp BazarLoaderVar5 behavioral2/memory/2008-135-0x00000165EA380000-0x00000165EA3BB000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 19 2008 rundll32.exe 36 2008 rundll32.exe 55 2008 rundll32.exe 57 2008 rundll32.exe 59 2008 rundll32.exe 62 2008 rundll32.exe 63 2008 rundll32.exe 64 2008 rundll32.exe 72 2008 rundll32.exe 73 2008 rundll32.exe 74 2008 rundll32.exe 75 2008 rundll32.exe 76 2008 rundll32.exe -
Tries to connect to .bazar domain 5 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 74 yellowdownpour81.bazar 75 yellowdownpour81.bazar 62 greencloud46a.bazar 63 greencloud46a.bazar 72 whitestorm9p.bazar -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 194.36.144.87 Destination IP 194.36.144.87 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 55 https://api.opennicproject.org/geoip/?bare&ipv=4