Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 12:19
Static task
static1
Behavioral task
behavioral1
Sample
rt3ret3(3).exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
rt3ret3(3).exe
Resource
win10v2004-20240226-en
General
-
Target
rt3ret3(3).exe
-
Size
236KB
-
MD5
efa4b2e7d7016a1f80efff5840de3a18
-
SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb
-
SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
-
SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
-
SSDEEP
6144:NgsO6Xkm0RsQNCR/JG+z5nLGcKYp05dMgSsXMH7/wrtKHRAwrcKxN:7GRsQ6RLhLGO05dMgrXwTKtKxA5w
Malware Config
Extracted
bazarloader
vacationinsydney2021.bazar
bestsightsofwildaustralia.bazar
sydneynewtours.bazar
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2956-2-0x0000000180000000-0x0000000180032000-memory.dmp BazarLoaderVar1 -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rt3ret3(3).exepid process 2956 rt3ret3(3).exe 2956 rt3ret3(3).exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
rt3ret3(3).execmd.exedescription pid process target process PID 2956 wrote to memory of 5112 2956 rt3ret3(3).exe cmd.exe PID 2956 wrote to memory of 5112 2956 rt3ret3(3).exe cmd.exe PID 5112 wrote to memory of 2736 5112 cmd.exe PING.EXE PID 5112 wrote to memory of 2736 5112 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\rt3ret3(3).exe"C:\Users\Admin\AppData\Local\Temp\rt3ret3(3).exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\rt3ret3(3).exe PYKVW2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\PING.EXEping 8.8.8.8 -n 23⤵
- Runs ping.exe