bazarbackdoor | 273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d

Analysis

max time kernel
98s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2023 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jre-8u321-windows-x64.exe
Size

82.0MB
MD5

5c4de2813b42c80a2d77983624512e7a
SHA1

0e645b1e56de38a5859d187d71c792ea7cb5735a
SHA256

273fe2b92f8c123f28340660bf9a7dee6f3bf2c88f4299c31c302f9c674d921d
SHA512

263b008f849b036be046c545b9944f230ac5153899bd689c44d9d2f6d5ce848454136daab54401c4e79a40c9a1c017c33eb6df16b1a010a0d43ef051aefb5688
SSDEEP

1572864:W9Dm4YjKurf8BTFLWx0Uy1nB2yVbB33Ec1lyKEgjg7VQppCCXfUvvs:W9mjKuzmTUynBrbB3UWlyKEg0GVXfIvs

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor

Bazar/Team9 Backdoor payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jds240554468.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3
C:\Users\Admin\AppData\Local\Temp\jds240554468.tmp\jre-8u321-windows-x64.exe	BazarBackdoorVar3

Executes dropped EXE 1 IoCs

Processes:

jre-8u321-windows-x64.exe

pid process

1840 jre-8u321-windows-x64.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

jre-8u321-windows-x64.exe

pid process

1840 jre-8u321-windows-x64.exe
1840 jre-8u321-windows-x64.exe

pid	process
1840	jre-8u321-windows-x64.exe

pid	process
1840	jre-8u321-windows-x64.exe
1840	jre-8u321-windows-x64.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

jre-8u321-windows-x64.exe

description	pid	process	target process
PID 872 wrote to memory of 1840	872	jre-8u321-windows-x64.exe	jre-8u321-windows-x64.exe
PID 872 wrote to memory of 1840	872	jre-8u321-windows-x64.exe	jre-8u321-windows-x64.exe

C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe
"C:\Users\Admin\AppData\Local\Temp\jre-8u321-windows-x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872
- C:\Users\Admin\AppData\Local\Temp\jds240554468.tmp\jre-8u321-windows-x64.exe
  "C:\Users\Admin\AppData\Local\Temp\jds240554468.tmp\jre-8u321-windows-x64.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jds240554468.tmp\jre-8u321-windows-x64.exe

Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
C:\Users\Admin\AppData\Local\Temp\jds240554468.tmp\jre-8u321-windows-x64.exe

Filesize
81.6MB

MD5
80afab5be48bacf44155212c817f4e31

SHA1
5a8b12509bdecdb2024a8d00395ca5f24dec63dc

SHA256
fb02ebdbbd9c7f27c49eef2d743293f100a614aa95151e2d28828db84baf6657

SHA512
a6602aacfc6334a9e1f05874cebe34519808d10cfcc7d3254e8639d1645758a680fe4dbcd30bcf41e9d90b47126259348e6a6cf83b5f3eeeb006110070b60304

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
c609cd6c10fdf8b84cd3a9c6627c1c21

SHA1
5590662d2a61d2a9fa0f8670e8127bbe49a653ee

SHA256
97eedb7f1a629a4bffb47fc17f3b44ca529124ffd104c9077f7a20597aa906e4

SHA512
990c8104c844bb283835b5b6722454c381f9b5559458ff3e4121e99c9a394eb39faeebe339a08f8976570704d259a2cef3935764c1385d5798873cf32cc3ab29

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
f12ec60b79f65b69e17ff83f6eede068

SHA1
f4bef419249189485395cecfdd6f8849bf2085bb

SHA256
4df390177c458407442ad31774ae76ac44f41bed0326d3bb0b952801b1745cbd

SHA512
572383ced7ad8e1eeb322b1c129f7582d8a38f90b50554d767b284601472f90d8d80c5dd71c219a09021531d32b424d4a64ff7bbdbf418df63bdd93f03bee353

Download Submit