bazarbackdoor | 188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6

Analysis

max time kernel
85s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-04-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jre-8u351-windows-x64.exe
Size

84.5MB
MD5

7542ec421a2f6e90751e8b64c22e0542
SHA1

d207d221a28ede5c2c8415f82c555989aa7068ba
SHA256

188ca8ecc44de1b7f602e883c3054dc392792c3631bf362b1bc4f3e1dba323e6
SHA512

8987bf8aa1b401815fa9850e56954db6015bdd06ce78b65ba435724582ffa615dee4e1452fa237c53257dca8ee97b469d01c27757a5f070ce6f807a4f81094bc
SSDEEP

1572864:ugyqUvFZpZDQBTgcJ5pWuqHRAOLut/+EDSSXXfDS2ZVw:ugzUnvDHq5pW1xAwutGEDxXXfGP

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe	BazarBackdoorVar3

Executes dropped EXE 1 IoCs

Processes:

jre-8u351-windows-x64.exe

pid process

2652 jre-8u351-windows-x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

jre-8u351-windows-x64.exe

pid process

2652 jre-8u351-windows-x64.exe
2652 jre-8u351-windows-x64.exe

pid	process
2652	jre-8u351-windows-x64.exe

pid	process
2652	jre-8u351-windows-x64.exe
2652	jre-8u351-windows-x64.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

jre-8u351-windows-x64.exe

description	pid	process	target process
PID 5104 wrote to memory of 2652	5104	jre-8u351-windows-x64.exe	jre-8u351-windows-x64.exe
PID 5104 wrote to memory of 2652	5104	jre-8u351-windows-x64.exe	jre-8u351-windows-x64.exe

C:\Users\Admin\AppData\Local\Temp\jre-8u351-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jre-8u351-windows-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240563859.tmp\jre-8u351-windows-x64.exe
Filesize
84.1MB

MD5
dfcfc788d67437530a50177164db42b0

SHA1
2d9ed0dc5671a358186dcf83abb74bfe39c40e9f

SHA256
a90318bae7d99da633d9cac8ce322120d087e7b6f5eec0d1d0d7f9413fdd4dc1

SHA512
dbdfd02528c9f0e506232e8640a8602fade0d05f4139368187300ea2d537e41d2d167655ded30d938bd445a21c776a3c3721f8db4d3f03e3c06807a84cf232e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
267KB

MD5
4d3c55c5088ef338f1922ca3d9a50321

SHA1
30be4de3fe7eb5c1d6acf563616afe6562502345

SHA256
176cd6c7743742fa313099729683c2263093907a3993aaaa44ea3e570fe70552

SHA512
f1624ca15cf605e668ff2ca902aefbfe959159f6bfddd03da520e1e6991dc1b6382261b79e706793719d6b157aa09b0bb1c6bce803a1084b7081acf24a25265a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
267KB

MD5
f92127386c183506fc4ebdf7997b733b

SHA1
b2ee3cd11bad35243bda8b1561daa19c5e0d1ac5

SHA256
f8309cd2cec3c06b99f2d39870627ea3e93c617cd478b0069b8bd54ab0a9d28e

SHA512
fa0420bab004532e29a40e4f9956b45e382df79b389aae349404b1784c43d314cb1fa19f2a788f5dab970f2eb590a2abcbcf291a69880708a5d830d8f917540d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
285KB

MD5
6839a373b686263b9a0ddbcb374c6726

SHA1
5c24571cb794c2f4cec44adb636d09d4beabc445

SHA256
3f99c42e63e6fd3a3d9fa01266eb6c21d2e457787df5d273b8c30f80cf4973c8

SHA512
c08c56f3082290bbedaf38dc765f95e949cf35232fd48c2af483dcc45a5002f4f3ac69bc8677c6c45a9532d8f7f1c5b90d1233cb3fe4f3e7f81d1ecb2f17c1c3

Download Submit