Analysis
-
max time kernel
153s -
max time network
171s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2024 13:49
Static task
static1
Behavioral task
behavioral1
Sample
4663bba7172a24a9a46a1e2b8d1ed0df.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4663bba7172a24a9a46a1e2b8d1ed0df.dll
Resource
win10v2004-20231215-en
General
-
Target
4663bba7172a24a9a46a1e2b8d1ed0df.dll
-
Size
403KB
-
MD5
4663bba7172a24a9a46a1e2b8d1ed0df
-
SHA1
a8d683cca49ac28a89a30418b94818be0184a887
-
SHA256
a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6
-
SHA512
48fb556ecda308ab9fe42f18283acb39a2dd2f57a07635867e6a09a9c733414902baf75901f33c8a2d0b6ec8a3b865237612ef92f9a59de795fff54fbc33f2b4
-
SSDEEP
12288:ZinPGC8lXe1gwijX52yN7stYqaHVbBBRY:gnPAlOWwIX5ZNpFY
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3204-0-0x0000022D8A330000-0x0000022D8A36C000-memory.dmp BazarLoaderVar5 behavioral2/memory/3204-1-0x0000022D8A330000-0x0000022D8A36C000-memory.dmp BazarLoaderVar5 -
Blocklisted process makes network request 27 IoCs
Processes:
rundll32.exeflow pid process 38 3204 rundll32.exe 52 3204 rundll32.exe 58 3204 rundll32.exe 75 3204 rundll32.exe 77 3204 rundll32.exe 80 3204 rundll32.exe 82 3204 rundll32.exe 83 3204 rundll32.exe 88 3204 rundll32.exe 89 3204 rundll32.exe 92 3204 rundll32.exe 93 3204 rundll32.exe 94 3204 rundll32.exe 97 3204 rundll32.exe 98 3204 rundll32.exe 107 3204 rundll32.exe 108 3204 rundll32.exe 109 3204 rundll32.exe 125 3204 rundll32.exe 126 3204 rundll32.exe 127 3204 rundll32.exe 128 3204 rundll32.exe 129 3204 rundll32.exe 130 3204 rundll32.exe 131 3204 rundll32.exe 132 3204 rundll32.exe 133 3204 rundll32.exe -
Tries to connect to .bazar domain 17 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 93 greencloud46a.bazar 97 greencloud46a.bazar 129 yellowdownpour81.bazar 131 yellowdownpour81.bazar 83 greencloud46a.bazar 88 greencloud46a.bazar 107 whitestorm9p.bazar 108 whitestorm9p.bazar 89 greencloud46a.bazar 94 greencloud46a.bazar 125 yellowdownpour81.bazar 130 yellowdownpour81.bazar 132 yellowdownpour81.bazar 92 greencloud46a.bazar 126 yellowdownpour81.bazar 127 yellowdownpour81.bazar 128 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 17 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 94.16.114.254 Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 94.16.114.254 Destination IP 198.50.135.212 Destination IP 91.217.137.37 Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 94.16.114.254 Destination IP 194.36.144.87 Destination IP 172.98.193.62 Destination IP 91.217.137.37 Destination IP 217.160.188.24 Destination IP 172.98.193.62 Destination IP 194.36.144.87 Destination IP 198.50.135.212 Destination IP 217.160.188.24 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 77 https://api.opennicproject.org/geoip/?bare&ipv=4