Analysis
-
max time kernel
145s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2024 13:31
Static task
static1
Behavioral task
behavioral1
Sample
40fddbbfbb45012b7bf00985547d70fe.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
40fddbbfbb45012b7bf00985547d70fe.dll
Resource
win10v2004-20231215-en
General
-
Target
40fddbbfbb45012b7bf00985547d70fe.dll
-
Size
1.2MB
-
MD5
40fddbbfbb45012b7bf00985547d70fe
-
SHA1
23e0b6b8db4f2d4479df7dd51867474567d480bf
-
SHA256
bb42fe3d20e3fae9bf0e1be683134b526386cf36e99a6aaed14a08bbfc627294
-
SHA512
ceda59bcc7c7ae695050419278f6710645d452845bd70f60c3a1f9867e58baf6614852dd22b05f8c49e88a70bf8afe0ef0dae429c31f91431425ded7ba7b072f
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrR:8+n3Hthqm9qgkR
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3344-0-0x0000012949410000-0x000001294944B000-memory.dmp BazarLoaderVar5 behavioral2/memory/3344-1-0x00007FF9B8860000-0x00007FF9B89E2000-memory.dmp BazarLoaderVar5 behavioral2/memory/3344-3-0x0000012949410000-0x000001294944B000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 14 IoCs
Processes:
rundll32.exeflow pid process 40 3344 rundll32.exe 50 3344 rundll32.exe 79 3344 rundll32.exe 91 3344 rundll32.exe 98 3344 rundll32.exe 100 3344 rundll32.exe 103 3344 rundll32.exe 105 3344 rundll32.exe 106 3344 rundll32.exe 123 3344 rundll32.exe 124 3344 rundll32.exe 147 3344 rundll32.exe 148 3344 rundll32.exe 149 3344 rundll32.exe -
Tries to connect to .bazar domain 5 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 147 yellowdownpour81.bazar 148 yellowdownpour81.bazar 103 greencloud46a.bazar 105 greencloud46a.bazar 123 whitestorm9p.bazar -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 195.10.195.195 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 194.36.144.87 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 100 https://api.opennicproject.org/geoip/?bare&ipv=4