General

  • Target

    4663bba7172a24a9a46a1e2b8d1ed0df

  • Size

    403KB

  • Sample

    231226-ar8t6sfbd2

  • MD5

    4663bba7172a24a9a46a1e2b8d1ed0df

  • SHA1

    a8d683cca49ac28a89a30418b94818be0184a887

  • SHA256

    a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6

  • SHA512

    48fb556ecda308ab9fe42f18283acb39a2dd2f57a07635867e6a09a9c733414902baf75901f33c8a2d0b6ec8a3b865237612ef92f9a59de795fff54fbc33f2b4

  • SSDEEP

    12288:ZinPGC8lXe1gwijX52yN7stYqaHVbBBRY:gnPAlOWwIX5ZNpFY

Malware Config

Targets

    • Target

      4663bba7172a24a9a46a1e2b8d1ed0df

    • Size

      403KB

    • MD5

      4663bba7172a24a9a46a1e2b8d1ed0df

    • SHA1

      a8d683cca49ac28a89a30418b94818be0184a887

    • SHA256

      a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6

    • SHA512

      48fb556ecda308ab9fe42f18283acb39a2dd2f57a07635867e6a09a9c733414902baf75901f33c8a2d0b6ec8a3b865237612ef92f9a59de795fff54fbc33f2b4

    • SSDEEP

      12288:ZinPGC8lXe1gwijX52yN7stYqaHVbBBRY:gnPAlOWwIX5ZNpFY

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Tries to connect to .bazar domain

      Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix

Tasks