Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25-12-2023 18:19
General
-
Target
33fe9450c17582b6968ea1a507651e77.dll
-
Size
1.2MB
-
MD5
33fe9450c17582b6968ea1a507651e77
-
SHA1
2cd4a530ccdae728d9278025e344e931d2dc6703
-
SHA256
d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3
-
SHA512
a4fdcde472a64ba56f1cf8ceeaba5d3c20e9c36c0d71c5fce910c2774667f774753047df20fea369ff431db90b239822a57b8dc824351ae8623c8ff40849af76
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrE:8+n3Hthqm9qgkE
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
-
Blocklisted process makes network request 24 IoCs
-
Tries to connect to .bazar domain 17 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Unexpected DNS network traffic destination 17 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33fe9450c17582b6968ea1a507651e77.dll,#11⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3336-0-0x00000144FA360000-0x00000144FA39B000-memory.dmpFilesize
236KB
-
memory/3336-1-0x00007FFED0C20000-0x00007FFED0DA2000-memory.dmpFilesize
1.5MB
-
memory/3336-3-0x00000144FA360000-0x00000144FA39B000-memory.dmpFilesize
236KB