Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2023 01:28
Static task
static1
Behavioral task
behavioral1
Sample
9b35b45aa39ebe202ce6cdcb9df656ee.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
9b35b45aa39ebe202ce6cdcb9df656ee.dll
Resource
win10v2004-20231215-en
General
-
Target
9b35b45aa39ebe202ce6cdcb9df656ee.dll
-
Size
1.2MB
-
MD5
9b35b45aa39ebe202ce6cdcb9df656ee
-
SHA1
49ce63eb5043cd25d4b8cbe8e1c3e6717b8c4fe8
-
SHA256
e3ae3375e738c81024554011d0596ff8ab801267c6eb4df7815d8c4e876f39d2
-
SHA512
1171f83c88c2531e86fc64474568feecfc340cfa477183fe87c9df7b952a333afbd304c6b57bba44a8ba7b3d8dba95aba403c8bba8b7e0ef27ee36a8ffa2935b
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrB:8+n3Hthqm9qgkB
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4124-0-0x0000013901710000-0x000001390174B000-memory.dmp BazarLoaderVar5 behavioral2/memory/4124-1-0x00007FFB61510000-0x00007FFB61692000-memory.dmp BazarLoaderVar5 behavioral2/memory/4124-3-0x0000013901710000-0x000001390174B000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 11 IoCs
Processes:
rundll32.exeflow pid process 40 4124 rundll32.exe 46 4124 rundll32.exe 74 4124 rundll32.exe 76 4124 rundll32.exe 78 4124 rundll32.exe 83 4124 rundll32.exe 84 4124 rundll32.exe 107 4124 rundll32.exe 108 4124 rundll32.exe 117 4124 rundll32.exe 118 4124 rundll32.exe -
Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 107 whitestorm9p.bazar 117 yellowdownpour81.bazar 83 greencloud46a.bazar -
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 195.10.195.195 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 74 https://api.opennicproject.org/geoip/?bare&ipv=4