Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 21:45
Static task
static1
Behavioral task
behavioral1
Sample
1d78af63cf39db93255eba78c469a598.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
1d78af63cf39db93255eba78c469a598.dll
Resource
win10v2004-20231215-en
General
-
Target
1d78af63cf39db93255eba78c469a598.dll
-
Size
409KB
-
MD5
1d78af63cf39db93255eba78c469a598
-
SHA1
6a41ff9c6f64875b29bc94dc110a7ec844dbbe45
-
SHA256
80ebf667875c94175c392e21ed3e52fc1ebf7f2460fd8a82d5cde4c732612762
-
SHA512
8f636135d412712196886c3a6193343ceb18f618e0e8d5248bdd3f06db5a6d2b2d2dbd474be246ab906f4a97b09f4680b10ec78ba38470f2db8cbb32ed251ed3
-
SSDEEP
6144:xZtl3Zvn1IqjyfeKZ1mTvMs4Kvx0rEp0YUUoIZD73hrbhYHtQZmskXE4wPS:1lg+yfeZ7vm4paUoED5buthskXhwPS
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4544-0-0x0000020F73330000-0x0000020F7336C000-memory.dmp BazarLoaderVar5 behavioral2/memory/4544-1-0x0000020F73330000-0x0000020F7336C000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 21 IoCs
Processes:
rundll32.exeflow pid process 56 4544 rundll32.exe 85 4544 rundll32.exe 125 4544 rundll32.exe 162 4544 rundll32.exe 169 4544 rundll32.exe 171 4544 rundll32.exe 174 4544 rundll32.exe 176 4544 rundll32.exe 181 4544 rundll32.exe 182 4544 rundll32.exe 194 4544 rundll32.exe 195 4544 rundll32.exe 196 4544 rundll32.exe 198 4544 rundll32.exe 201 4544 rundll32.exe 202 4544 rundll32.exe 205 4544 rundll32.exe 206 4544 rundll32.exe 214 4544 rundll32.exe 215 4544 rundll32.exe 216 4544 rundll32.exe -
Tries to connect to .bazar domain 11 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 195 whitestorm9p.bazar 196 whitestorm9p.bazar 201 whitestorm9p.bazar 202 whitestorm9p.bazar 205 whitestorm9p.bazar 215 yellowdownpour81.bazar 176 greencloud46a.bazar 181 greencloud46a.bazar 194 whitestorm9p.bazar 198 whitestorm9p.bazar 214 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 194.36.144.87 Destination IP 94.16.114.254 Destination IP 195.10.195.195 Destination IP 91.217.137.37 Destination IP 195.10.195.195 Destination IP 198.50.135.212 Destination IP 172.98.193.62 Destination IP 194.36.144.87 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 217.160.188.24 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 169 https://api.opennicproject.org/geoip/?bare&ipv=4