Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2023 14:21
Static task
static1
Behavioral task
behavioral1
Sample
b2ecd207b38890a16653912d8003844c.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
b2ecd207b38890a16653912d8003844c.dll
Resource
win10v2004-20231215-en
General
-
Target
b2ecd207b38890a16653912d8003844c.dll
-
Size
426KB
-
MD5
b2ecd207b38890a16653912d8003844c
-
SHA1
e164c354fc691aa34ad400a772c994d3292f07b9
-
SHA256
fadb58b40ce2cbf2af1ded0c0b3c91354b761796ef8d9d8d48a4e64e4a543dba
-
SHA512
6487ad80e5a5cb276b3576d585ba277b41fa36868f642b88efab70c381cac45255f18f6b445cf473a0378fd5a7e9e5d4f748e2b08a50058728d71b98a69bcafd
-
SSDEEP
6144:ubT9YZt0qelf5iAWHqwbV8nr4Sjeom/ewvE4qHMi3NqvAC60qqU3PW6EF0is21jB:jY+x8nry1tvE4K0qY6Euu1jaiuo
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/804-0-0x00000210F9830000-0x00000210F9AB9000-memory.dmp BazarLoaderVar5 behavioral2/memory/804-1-0x00000210F9830000-0x00000210F9AB9000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 13 IoCs
Processes:
rundll32.exeflow pid process 36 804 rundll32.exe 38 804 rundll32.exe 56 804 rundll32.exe 65 804 rundll32.exe 68 804 rundll32.exe 69 804 rundll32.exe 71 804 rundll32.exe 72 804 rundll32.exe 82 804 rundll32.exe 83 804 rundll32.exe 84 804 rundll32.exe 100 804 rundll32.exe 101 804 rundll32.exe -
Tries to connect to .bazar domain 4 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 71 greencloud46a.bazar 82 whitestorm9p.bazar 83 whitestorm9p.bazar 100 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 195.10.195.195 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 69 https://api.opennicproject.org/geoip/?bare&ipv=4