Analysis
-
max time kernel
128s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-12-2023 00:00
Static task
static1
Behavioral task
behavioral1
Sample
20e3b7d04d121321733b6eb698a09138.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20e3b7d04d121321733b6eb698a09138.dll
Resource
win10v2004-20231215-en
General
-
Target
20e3b7d04d121321733b6eb698a09138.dll
-
Size
164KB
-
MD5
20e3b7d04d121321733b6eb698a09138
-
SHA1
5e1f1b0fb181c523db6d58ccc8eb91f43231457a
-
SHA256
33578b9c002760c65df50edee28db75dab43e5e55019852cd63d77e5c870c06f
-
SHA512
52282718088e24a82aad2f084a64629004737f8f0569ddcb1128b629f6fba13686b48d48fa886ff0c6fe10d3c9a1b70835f7d0ba939297ff1b432e41fe27518f
-
SSDEEP
3072:iEBgM/gPzVNBoQxJbhzHZJ6uwNHNhqlHSSseyVIj42zCgwUzHLg:ij3PBoQRzHZr4hqVS6yVIU2X
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3000-0-0x0000000001B10000-0x0000000001B24000-memory.dmp BazarLoaderVar6 behavioral1/memory/2792-7-0x0000000000250000-0x0000000000264000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 4 3000 rundll32.exe 6 3000 rundll32.exe 7 3000 rundll32.exe 8 3000 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20e3b7d04d121321733b6eb698a09138.dll,#11⤵
- Blocklisted process makes network request
PID:3000
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\20e3b7d04d121321733b6eb698a09138.dll,#1 26536281681⤵PID:2792