Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
12-03-2024 23:11
General
-
Target
c457e8760ba768b3a9746831c366ac1a.dll
-
Size
1.2MB
-
MD5
c457e8760ba768b3a9746831c366ac1a
-
SHA1
94fec4b344f00e5f890c6c850743c80f98659a72
-
SHA256
85a19656e73c4a3343b476bc823437a58df84e25a631fb543eb7bf876a9aef31
-
SHA512
830bdd275b1d929e892ff4e474cde20550b88f82ac59354f40ecb007eebc04492a512044783559020016002bb81665d5162c638934af95d8ad9aa4566d885dbd
-
SSDEEP
24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrM:8+n3Hthqm9qgkM
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
-
Blocklisted process makes network request 18 IoCs
-
Tries to connect to .bazar domain 10 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Unexpected DNS network traffic destination 10 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c457e8760ba768b3a9746831c366ac1a.dll,#11⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1960-0-0x000001B120A40000-0x000001B120A7B000-memory.dmpFilesize
236KB
-
memory/1960-1-0x00007FF9E1D60000-0x00007FF9E1EE2000-memory.dmpFilesize
1.5MB
-
memory/1960-3-0x000001B120A40000-0x000001B120A7B000-memory.dmpFilesize
236KB