Extracted

• • Target

    dl2.exe

  • Size

    849KB

  • MD5

    c2055b7fbaa041d9f68b9d5df9b45edd

  • SHA1

    e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06

  • SHA256

    342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3

  • SHA512

    18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc

  • SSDEEP

    12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

  Score

  10^/10

  bazarbackdoorxwormbackdoordiscoverymotwpersistencephishingrattrojan

  • BazarBackdoor

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    backdoorbazarbackdoor

  • Detect Xworm Payload

  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm

  • Contacts a large (534) amount of remote hosts

    This may indicate a network scan to discover remotely running services.

    discovery

  • Downloads MZ/PE file

  • Tries to connect to .bazar domain

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file

  • Executes dropped EXE

  • Loads dropped DLL

  • Unexpected DNS network traffic destination

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Adds Run key to start application

    persistence

  • Checks for any installed AV software in registry

  • Checks installed software on the system

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery

  • Creates a large amount of network flows

    This may indicate a network scan to discover remotely running services.

    discovery

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    phishingmotw

  • Checks system information in the registry

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory

  behavioral1behavioral2