bazarbackdoor

Target

230823-139hyshd3w_pw_infected.zip
Size

472KB
Sample

240817-29be6ssfra
MD5

e3af7d1463d266e02cd03ea7a3add2e4
SHA1

6456c0de00c86db5e7d061fbf7e19792d3dbbc4a
SHA256

8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd
SHA512

855e4ba5316a800113f6f410d37ba7e981c0f72bb23664c26e464777f2a0a96d8f651e77189af89e70be9d032a3a1b7b40b005bd60b9f6dc792c7588b3a8d9bb
SSDEEP

12288:ABgmK1z0D2TuzS4cu2LH6WhBO8RiKrDmlPPoSdERZIhp4TWo3:2BKqSt4AH6Whc2fqPoSdEDRWo3

Score

10^/10

Malware Config

Targets

- Target
  
  dl2.exe
- Size
  
  849KB
- MD5
  
  c2055b7fbaa041d9f68b9d5df9b45edd
- SHA1
  
  e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
- SHA256
  
  342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
- SHA512
  
  18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
- SSDEEP
  
  12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Score

10^/10

bazarbackdoor backdoor bootkit defense_evasion discovery exploit motw persistence phishing privilege_escalation spyware stealer
- BazarBackdoor
  Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
  backdoor bazarbackdoor
- Boot or Logon Autostart Execution: Active Setup
  Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Possible privilege escalation attempt
  exploit
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Modifies file permissions
  discovery
- Modifies system executable filetype association
  persistence
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- System Binary Proxy Execution: wuauclt
  Abuse Wuauclt to proxy execution of malicious code.
  defense_evasion
- Unexpected DNS network traffic destination
  Network traffic to other servers than the configured DNS servers was detected on the DNS port.
- Adds Run key to start application
  persistence
- Checks for any installed AV software in registry
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Creates a large amount of network flows
  This may indicate a network scan to discover remotely running services.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Mark of the Web detected: This indicates that the page was originally saved or cloned.
  phishing motw
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
behavioral1 behavioral2