Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 18:19
Static task
static1
Behavioral task
behavioral1
Sample
33fe9450c17582b6968ea1a507651e77.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
33fe9450c17582b6968ea1a507651e77.dll
Resource
win10v2004-20231215-en
General
-
Target
33fe9450c17582b6968ea1a507651e77.dll
-
Size
1.2MB
-
MD5
33fe9450c17582b6968ea1a507651e77
-
SHA1
2cd4a530ccdae728d9278025e344e931d2dc6703
-
SHA256
d0e608a7a0b874649fa154ed44f6d61ae4e5188121926e982bb359e3bd61e5b3
-
SHA512
a4fdcde472a64ba56f1cf8ceeaba5d3c20e9c36c0d71c5fce910c2774667f774753047df20fea369ff431db90b239822a57b8dc824351ae8623c8ff40849af76
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrE:8+n3Hthqm9qgkE
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3336-0-0x00000144FA360000-0x00000144FA39B000-memory.dmp BazarLoaderVar5 behavioral2/memory/3336-1-0x00007FFED0C20000-0x00007FFED0DA2000-memory.dmp BazarLoaderVar5 behavioral2/memory/3336-3-0x00000144FA360000-0x00000144FA39B000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 24 IoCs
Processes:
rundll32.exeflow pid process 22 3336 rundll32.exe 23 3336 rundll32.exe 42 3336 rundll32.exe 45 3336 rundll32.exe 50 3336 rundll32.exe 51 3336 rundll32.exe 55 3336 rundll32.exe 56 3336 rundll32.exe 57 3336 rundll32.exe 58 3336 rundll32.exe 59 3336 rundll32.exe 60 3336 rundll32.exe 61 3336 rundll32.exe 62 3336 rundll32.exe 63 3336 rundll32.exe 64 3336 rundll32.exe 65 3336 rundll32.exe 66 3336 rundll32.exe 67 3336 rundll32.exe 68 3336 rundll32.exe 69 3336 rundll32.exe 88 3336 rundll32.exe 89 3336 rundll32.exe 90 3336 rundll32.exe -
Tries to connect to .bazar domain 17 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 60 greencloud46a.bazar 67 greencloud46a.bazar 88 yellowdownpour81.bazar 89 yellowdownpour81.bazar 51 greencloud46a.bazar 59 greencloud46a.bazar 68 whitestorm9p.bazar 55 greencloud46a.bazar 65 greencloud46a.bazar 63 greencloud46a.bazar 64 greencloud46a.bazar 66 greencloud46a.bazar 57 greencloud46a.bazar 62 greencloud46a.bazar 61 greencloud46a.bazar 56 greencloud46a.bazar 58 greencloud46a.bazar -
Unexpected DNS network traffic destination 17 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 94.16.114.254 Destination IP 51.158.108.203 Destination IP 195.10.195.195 Destination IP 80.152.203.134 Destination IP 94.16.114.254 Destination IP 51.254.162.59 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 217.160.70.42 Destination IP 194.36.144.87 Destination IP 198.50.135.212 Destination IP 217.160.188.24 Destination IP 91.217.137.37 Destination IP 195.10.195.195 Destination IP 81.169.136.222 Destination IP 172.98.193.62 Destination IP 178.254.22.166 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 42 https://api.opennicproject.org/geoip/?bare&ipv=4