Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2023 00:00
Static task
static1
Behavioral task
behavioral1
Sample
20e3b7d04d121321733b6eb698a09138.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
20e3b7d04d121321733b6eb698a09138.dll
Resource
win10v2004-20231215-en
General
-
Target
20e3b7d04d121321733b6eb698a09138.dll
-
Size
164KB
-
MD5
20e3b7d04d121321733b6eb698a09138
-
SHA1
5e1f1b0fb181c523db6d58ccc8eb91f43231457a
-
SHA256
33578b9c002760c65df50edee28db75dab43e5e55019852cd63d77e5c870c06f
-
SHA512
52282718088e24a82aad2f084a64629004737f8f0569ddcb1128b629f6fba13686b48d48fa886ff0c6fe10d3c9a1b70835f7d0ba939297ff1b432e41fe27518f
-
SSDEEP
3072:iEBgM/gPzVNBoQxJbhzHZJ6uwNHNhqlHSSseyVIj42zCgwUzHLg:ij3PBoQRzHZr4hqVS6yVIU2X
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4980-0-0x00000153083D0000-0x00000153083E4000-memory.dmp BazarLoaderVar6 behavioral2/memory/1780-7-0x0000028FF5690000-0x0000028FF56A4000-memory.dmp BazarLoaderVar6 -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 40 4980 rundll32.exe 123 4980 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20e3b7d04d121321733b6eb698a09138.dll,#11⤵
- Blocklisted process makes network request
PID:4980
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\20e3b7d04d121321733b6eb698a09138.dll,#1 4846138121⤵PID:1780