Analysis
-
max time kernel
143s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 04:08
Static task
static1
Behavioral task
behavioral1
Sample
52f7a51c10ed1af473b8e49753b1a776.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
52f7a51c10ed1af473b8e49753b1a776.dll
Resource
win10v2004-20231215-en
General
-
Target
52f7a51c10ed1af473b8e49753b1a776.dll
-
Size
338KB
-
MD5
52f7a51c10ed1af473b8e49753b1a776
-
SHA1
3810802f7f9291f4c8a3a9c2b0adf2359b33cd92
-
SHA256
2bc93ff34de7019410fb251d7dcfeb731795e8375402eca5a526dbe1ffbb6f04
-
SHA512
63dda9738f7e178c70e5ab9974268c48453ba358be65e169594a77e36f82e5787914488c0c09967f43a39446ec5ec6fd4fe4ba1c4ec834c2c6d3f25c96bd268f
-
SSDEEP
6144:uZwKn8bxurvfUCEs7I4V2PsqHMc/PZ6RguROla0CWecIdn9TCwC6dT:zTbxuLfUCR2kQMgZ6W4OIePAT
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3888-0-0x00000234A9DF0000-0x00000234A9FEA000-memory.dmp BazarLoaderVar5 behavioral2/memory/3888-1-0x00000234A9DF0000-0x00000234A9FEA000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 27 3888 rundll32.exe 46 3888 rundll32.exe 57 3888 rundll32.exe 76 3888 rundll32.exe 79 3888 rundll32.exe 80 3888 rundll32.exe 86 3888 rundll32.exe 87 3888 rundll32.exe 99 3888 rundll32.exe 100 3888 rundll32.exe -
Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 79 greencloud46a.bazar 86 whitestorm9p.bazar 99 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 134.195.4.2 Destination IP 134.195.4.2 Destination IP 134.195.4.2