Analysis
-
max time kernel
147s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 10:04
Static task
static1
Behavioral task
behavioral1
Sample
d7b8b4a606c8b2dfebfb882afa35bca7.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d7b8b4a606c8b2dfebfb882afa35bca7.dll
Resource
win10v2004-20231215-en
General
-
Target
d7b8b4a606c8b2dfebfb882afa35bca7.dll
-
Size
1.2MB
-
MD5
d7b8b4a606c8b2dfebfb882afa35bca7
-
SHA1
e276135a072675aa65b37a0cfd576e1f3637604e
-
SHA256
bd1182eb3595956ac524dc8d13e1df4bc1d9a0f8e7f2e14d2331bb26750d1df9
-
SHA512
d0f3b5e8a8ab94c808929cfefdf33e5ba5e39f587a96ed5222222b618e2a1ed2b52e20ad3b49d0dc845f24800815572ddbe4df7ba4172c962625835136ed6960
-
SSDEEP
24576:rHvFVj8+YADTpPIeVCMaKoUo5/IyXZHa/L:/Y+YuTpPVPBwW
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3800-0-0x0000000027AE0000-0x0000000027B1E000-memory.dmp BazarLoaderVar5 behavioral2/memory/3800-1-0x00007FF851760000-0x00007FF8518E1000-memory.dmp BazarLoaderVar5 behavioral2/memory/3800-4-0x0000000027AE0000-0x0000000027B1E000-memory.dmp BazarLoaderVar5 -
Tries to connect to .bazar domain 15 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 122 whitestorm9p.bazar 97 greencloud46a.bazar 101 greencloud46a.bazar 102 greencloud46a.bazar 106 greencloud46a.bazar 116 whitestorm9p.bazar 118 whitestorm9p.bazar 119 whitestorm9p.bazar 123 whitestorm9p.bazar 120 whitestorm9p.bazar 98 greencloud46a.bazar 105 greencloud46a.bazar 109 greencloud46a.bazar 117 whitestorm9p.bazar 121 whitestorm9p.bazar -
Unexpected DNS network traffic destination 15 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 172.98.193.62 Destination IP 194.36.144.87 Destination IP 91.217.137.37 Destination IP 198.50.135.212 Destination IP 194.36.144.87 Destination IP 94.16.114.254 Destination IP 198.50.135.212 Destination IP 217.160.188.24 Destination IP 195.10.195.195 Destination IP 91.217.137.37 Destination IP 172.98.193.62 Destination IP 217.160.188.24 Destination IP 94.16.114.254 Destination IP 195.10.195.195 Destination IP 94.16.114.254 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 94 https://api.opennicproject.org/geoip/?bare&ipv=4