bazarbackdoor

Target

230823-139hyshd3w_pw_infected.zip
Size

472KB
Sample

240813-xtkxfs1drh
MD5

e3af7d1463d266e02cd03ea7a3add2e4
SHA1

6456c0de00c86db5e7d061fbf7e19792d3dbbc4a
SHA256

8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd
SHA512

855e4ba5316a800113f6f410d37ba7e981c0f72bb23664c26e464777f2a0a96d8f651e77189af89e70be9d032a3a1b7b40b005bd60b9f6dc792c7588b3a8d9bb
SSDEEP

12288:ABgmK1z0D2TuzS4cu2LH6WhBO8RiKrDmlPPoSdERZIhp4TWo3:2BKqSt4AH6Whc2fqPoSdEDRWo3

Score

10^/10

Malware Config

Extracted

Family

danabot

51.178.195.151

51.222.39.81

149.255.35.125

38.68.50.179

51.77.7.204

rsa_pubkey.plain

Targets

- Target
  
  dl2.exe
- Size
  
  849KB
- MD5
  
  c2055b7fbaa041d9f68b9d5df9b45edd
- SHA1
  
  e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
- SHA256
  
  342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
- SHA512
  
  18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
- SSDEEP
  
  12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Score

10^/10

bazarbackdoor danabot darkcomet agilenet backdoor banker botnet discovery evasion persistence rat trojan
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Danabot
  Danabot is a modular banking Trojan that has been linked with other malware.
  trojan banker danabot
- Danabot x86 payload
  Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
  botnet
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Blocklisted process makes network request
- Downloads MZ/PE file
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Obfuscated with Agile.Net obfuscator
  Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
  agilenet
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Legitimate hosting services abused for malware hosting/C2
- Drops file in System32 directory
behavioral1 behavioral2