Analysis
-
max time kernel
156s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
30-12-2023 21:45
General
-
Target
1d78af63cf39db93255eba78c469a598.dll
-
Size
409KB
-
MD5
1d78af63cf39db93255eba78c469a598
-
SHA1
6a41ff9c6f64875b29bc94dc110a7ec844dbbe45
-
SHA256
80ebf667875c94175c392e21ed3e52fc1ebf7f2460fd8a82d5cde4c732612762
-
SHA512
8f636135d412712196886c3a6193343ceb18f618e0e8d5248bdd3f06db5a6d2b2d2dbd474be246ab906f4a97b09f4680b10ec78ba38470f2db8cbb32ed251ed3
-
SSDEEP
6144:xZtl3Zvn1IqjyfeKZ1mTvMs4Kvx0rEp0YUUoIZD73hrbhYHtQZmskXE4wPS:1lg+yfeZ7vm4paUoED5buthskXhwPS
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
-
Blocklisted process makes network request 21 IoCs
-
Tries to connect to .bazar domain 11 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d78af63cf39db93255eba78c469a598.dll,#11⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4544-0-0x0000020F73330000-0x0000020F7336C000-memory.dmpFilesize
240KB
-
memory/4544-1-0x0000020F73330000-0x0000020F7336C000-memory.dmpFilesize
240KB