Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 00:27
Static task
static1
Behavioral task
behavioral1
Sample
4663bba7172a24a9a46a1e2b8d1ed0df.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
4663bba7172a24a9a46a1e2b8d1ed0df.dll
Resource
win10v2004-20231222-en
General
-
Target
4663bba7172a24a9a46a1e2b8d1ed0df.dll
-
Size
403KB
-
MD5
4663bba7172a24a9a46a1e2b8d1ed0df
-
SHA1
a8d683cca49ac28a89a30418b94818be0184a887
-
SHA256
a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6
-
SHA512
48fb556ecda308ab9fe42f18283acb39a2dd2f57a07635867e6a09a9c733414902baf75901f33c8a2d0b6ec8a3b865237612ef92f9a59de795fff54fbc33f2b4
-
SSDEEP
12288:ZinPGC8lXe1gwijX52yN7stYqaHVbBBRY:gnPAlOWwIX5ZNpFY
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1880-0-0x0000011CB5C60000-0x0000011CB5C9C000-memory.dmp BazarLoaderVar5 behavioral2/memory/1880-1-0x0000011CB5C60000-0x0000011CB5C9C000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 20 IoCs
Processes:
rundll32.exeflow pid process 22 1880 rundll32.exe 41 1880 rundll32.exe 88 1880 rundll32.exe 126 1880 rundll32.exe 131 1880 rundll32.exe 134 1880 rundll32.exe 136 1880 rundll32.exe 140 1880 rundll32.exe 141 1880 rundll32.exe 142 1880 rundll32.exe 162 1880 rundll32.exe 163 1880 rundll32.exe 199 1880 rundll32.exe 200 1880 rundll32.exe 201 1880 rundll32.exe 202 1880 rundll32.exe 203 1880 rundll32.exe 209 1880 rundll32.exe 210 1880 rundll32.exe 213 1880 rundll32.exe -
Tries to connect to .bazar domain 10 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 141 greencloud46a.bazar 162 whitestorm9p.bazar 199 yellowdownpour81.bazar 209 yellowdownpour81.bazar 210 yellowdownpour81.bazar 140 greencloud46a.bazar 200 yellowdownpour81.bazar 201 yellowdownpour81.bazar 202 yellowdownpour81.bazar 203 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 172.98.193.62 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 91.217.137.37 Destination IP 217.160.188.24 Destination IP 195.10.195.195 Destination IP 198.50.135.212 Destination IP 94.16.114.254 Destination IP 195.10.195.195 Destination IP 194.36.144.87 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 131 https://api.opennicproject.org/geoip/?bare&ipv=4