Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
27-12-2023 01:28
General
-
Target
9b35b45aa39ebe202ce6cdcb9df656ee.dll
-
Size
1.2MB
-
MD5
9b35b45aa39ebe202ce6cdcb9df656ee
-
SHA1
49ce63eb5043cd25d4b8cbe8e1c3e6717b8c4fe8
-
SHA256
e3ae3375e738c81024554011d0596ff8ab801267c6eb4df7815d8c4e876f39d2
-
SHA512
1171f83c88c2531e86fc64474568feecfc340cfa477183fe87c9df7b952a333afbd304c6b57bba44a8ba7b3d8dba95aba403c8bba8b7e0ef27ee36a8ffa2935b
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrB:8+n3Hthqm9qgkB
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
-
Blocklisted process makes network request 11 IoCs
-
Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b35b45aa39ebe202ce6cdcb9df656ee.dll,#11⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4124-0-0x0000013901710000-0x000001390174B000-memory.dmpFilesize
236KB
-
memory/4124-1-0x00007FFB61510000-0x00007FFB61692000-memory.dmpFilesize
1.5MB
-
memory/4124-3-0x0000013901710000-0x000001390174B000-memory.dmpFilesize
236KB