Analysis
-
max time kernel
175s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 22:40
Static task
static1
Behavioral task
behavioral1
Sample
40fddbbfbb45012b7bf00985547d70fe.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
40fddbbfbb45012b7bf00985547d70fe.dll
Resource
win10v2004-20231215-en
General
-
Target
40fddbbfbb45012b7bf00985547d70fe.dll
-
Size
1.2MB
-
MD5
40fddbbfbb45012b7bf00985547d70fe
-
SHA1
23e0b6b8db4f2d4479df7dd51867474567d480bf
-
SHA256
bb42fe3d20e3fae9bf0e1be683134b526386cf36e99a6aaed14a08bbfc627294
-
SHA512
ceda59bcc7c7ae695050419278f6710645d452845bd70f60c3a1f9867e58baf6614852dd22b05f8c49e88a70bf8afe0ef0dae429c31f91431425ded7ba7b072f
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrR:8+n3Hthqm9qgkR
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/224-0-0x0000025CFE3D0000-0x0000025CFE40B000-memory.dmp BazarLoaderVar5 behavioral2/memory/224-1-0x00007FFCC6A40000-0x00007FFCC6BC2000-memory.dmp BazarLoaderVar5 behavioral2/memory/224-3-0x0000025CFE3D0000-0x0000025CFE40B000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 20 IoCs
Processes:
rundll32.exeflow pid process 37 224 rundll32.exe 49 224 rundll32.exe 59 224 rundll32.exe 74 224 rundll32.exe 78 224 rundll32.exe 84 224 rundll32.exe 85 224 rundll32.exe 91 224 rundll32.exe 92 224 rundll32.exe 101 224 rundll32.exe 102 224 rundll32.exe 104 224 rundll32.exe 105 224 rundll32.exe 106 224 rundll32.exe 107 224 rundll32.exe 108 224 rundll32.exe 109 224 rundll32.exe 114 224 rundll32.exe 115 224 rundll32.exe 116 224 rundll32.exe -
Tries to connect to .bazar domain 11 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 85 greencloud46a.bazar 91 greencloud46a.bazar 107 yellowdownpour81.bazar 109 yellowdownpour81.bazar 115 yellowdownpour81.bazar 101 whitestorm9p.bazar 104 yellowdownpour81.bazar 105 yellowdownpour81.bazar 106 yellowdownpour81.bazar 108 yellowdownpour81.bazar 114 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 195.10.195.195 Destination IP 94.16.114.254 Destination IP 217.160.188.24 Destination IP 198.50.135.212 Destination IP 194.36.144.87 Destination IP 91.217.137.37 Destination IP 195.10.195.195 Destination IP 194.36.144.87 Destination IP 172.98.193.62 Destination IP 195.10.195.195 Destination IP 94.16.114.254 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 84 https://api.opennicproject.org/geoip/?bare&ipv=4