bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
1800s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
02/03/2024, 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor discovery

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

flow	ioc
38	zirabuo.bazar
63	zirabuo.bazar
96	zirabuo.bazar
37	zirabuo.bazar
74	zirabuo.bazar
95	zirabuo.bazar
100	zirabuo.bazar
62	zirabuo.bazar
73	zirabuo.bazar
92	zirabuo.bazar
99	zirabuo.bazar
42	zirabuo.bazar
68	zirabuo.bazar
80	zirabuo.bazar
89	zirabuo.bazar
66	zirabuo.bazar
52	zirabuo.bazar
56	zirabuo.bazar
61	zirabuo.bazar
65	zirabuo.bazar
72	zirabuo.bazar
82	zirabuo.bazar
83	zirabuo.bazar
47	zirabuo.bazar
94	zirabuo.bazar
58	zirabuo.bazar
60	zirabuo.bazar
75	zirabuo.bazar
77	zirabuo.bazar
84	zirabuo.bazar
57	zirabuo.bazar
55	zirabuo.bazar
71	zirabuo.bazar
91	zirabuo.bazar
44	zirabuo.bazar
54	zirabuo.bazar
59	zirabuo.bazar
39	zirabuo.bazar
51	zirabuo.bazar
70	zirabuo.bazar
81	zirabuo.bazar
86	zirabuo.bazar
50	zirabuo.bazar
36	zirabuo.bazar
85	zirabuo.bazar
90	zirabuo.bazar
30	zirabuo.bazar
31	zirabuo.bazar
32	zirabuo.bazar
43	zirabuo.bazar
69	zirabuo.bazar
102	zirabuo.bazar
29	zirabuo.bazar
46	zirabuo.bazar
64	zirabuo.bazar
67	zirabuo.bazar
78	zirabuo.bazar
97	zirabuo.bazar
45	zirabuo.bazar
41	zirabuo.bazar
53	zirabuo.bazar
33	zirabuo.bazar
101	zirabuo.bazar
87	zirabuo.bazar

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
47	zirabuo.bazar
76	zirabuo.bazar
90	zirabuo.bazar
101	zirabuo.bazar
32	zirabuo.bazar
39	zirabuo.bazar
53	zirabuo.bazar
81	zirabuo.bazar
36	zirabuo.bazar
60	zirabuo.bazar
65	zirabuo.bazar
88	zirabuo.bazar
92	zirabuo.bazar
55	zirabuo.bazar
59	zirabuo.bazar
67	zirabuo.bazar
75	zirabuo.bazar
87	zirabuo.bazar
99	zirabuo.bazar
50	zirabuo.bazar
57	zirabuo.bazar
74	zirabuo.bazar
78	zirabuo.bazar
96	zirabuo.bazar
98	zirabuo.bazar
37	zirabuo.bazar
61	zirabuo.bazar
66	zirabuo.bazar
91	zirabuo.bazar
29	zirabuo.bazar
30	zirabuo.bazar
46	zirabuo.bazar
52	zirabuo.bazar
69	zirabuo.bazar
71	zirabuo.bazar
72	zirabuo.bazar
97	zirabuo.bazar
43	zirabuo.bazar
45	zirabuo.bazar
51	zirabuo.bazar
100	zirabuo.bazar
102	zirabuo.bazar
70	zirabuo.bazar
77	zirabuo.bazar
79	zirabuo.bazar
82	zirabuo.bazar
83	zirabuo.bazar
31	zirabuo.bazar
40	zirabuo.bazar
63	zirabuo.bazar
89	zirabuo.bazar
93	zirabuo.bazar
94	zirabuo.bazar
33	zirabuo.bazar
56	zirabuo.bazar
58	zirabuo.bazar
41	zirabuo.bazar
68	zirabuo.bazar
86	zirabuo.bazar
95	zirabuo.bazar
38	zirabuo.bazar
62	zirabuo.bazar
80	zirabuo.bazar
64	zirabuo.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	45.32.160.206
Destination IP	158.69.160.164
Destination IP	163.172.185.51
Destination IP	130.255.78.223
Destination IP	51.255.48.78
Destination IP	212.24.98.54
Destination IP	45.32.160.206
Destination IP	185.208.208.141
Destination IP	46.101.70.183
Destination IP	46.28.207.199
Destination IP	128.52.130.209
Destination IP	172.98.193.42
Destination IP	185.117.154.144
Destination IP	51.254.25.115
Destination IP	128.52.130.209
Destination IP	163.53.248.170
Destination IP	51.255.48.78
Destination IP	51.254.25.115
Destination IP	176.126.70.119
Destination IP	91.217.137.37
Destination IP	87.98.175.85
Destination IP	45.32.160.206
Destination IP	192.52.166.110
Destination IP	169.239.202.202
Destination IP	158.69.160.164
Destination IP	193.183.98.66
Destination IP	185.121.177.177
Destination IP	35.196.105.24
Destination IP	185.164.136.225
Destination IP	89.18.27.167
Destination IP	51.254.25.115
Destination IP	158.69.160.164
Destination IP	172.104.136.243
Destination IP	158.69.239.167
Destination IP	185.117.154.144
Destination IP	130.255.78.223
Destination IP	167.99.153.82
Destination IP	81.2.241.148
Destination IP	87.98.175.85
Destination IP	139.99.96.146
Destination IP	89.35.39.64
Destination IP	185.121.177.177
Destination IP	169.239.202.202
Destination IP	142.4.205.47
Destination IP	185.164.136.225
Destination IP	185.117.154.144
Destination IP	169.239.202.202
Destination IP	138.197.25.214
Destination IP	185.117.154.144
Destination IP	89.18.27.167
Destination IP	45.63.124.65
Destination IP	158.69.239.167
Destination IP	45.71.112.70
Destination IP	139.59.23.241
Destination IP	130.255.78.223
Destination IP	63.231.92.27
Destination IP	5.132.191.104
Destination IP	89.35.39.64
Destination IP	46.101.70.183
Destination IP	96.47.228.108
Destination IP	51.255.211.146
Destination IP	87.98.175.85
Destination IP	178.17.170.179
Destination IP	162.248.241.94

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4936	dl2.exe
1668	dl2.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4936

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {1746A229-F7FA-41C8-A929-B77C18C44EF0}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1668-10-0x0000000002380000-0x00000000023B0000-memory.dmp

Filesize
192KB

Download
memory/1668-13-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4936-1-0x0000000002160000-0x0000000002190000-memory.dmp

Filesize
192KB

Download
memory/4936-4-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download
memory/4936-18-0x00000000005E0000-0x00000000006E0000-memory.dmp

Filesize
1024KB

Download

Resubmissions

Analysis