bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
1800s
max time network
1803s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2024 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor discovery

Malware Config

Signatures

BazarBackdoor 64 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

flow	ioc
199	zirabuo.bazar
123	zirabuo.bazar
133	zirabuo.bazar
170	zirabuo.bazar
174	zirabuo.bazar
200	zirabuo.bazar
99	zirabuo.bazar
105	zirabuo.bazar
118	zirabuo.bazar
180	zirabuo.bazar
197	zirabuo.bazar
126	zirabuo.bazar
147	zirabuo.bazar
169	zirabuo.bazar
146	zirabuo.bazar
152	zirabuo.bazar
187	zirabuo.bazar
206	zirabuo.bazar
218	zirabuo.bazar
95	zirabuo.bazar
110	zirabuo.bazar
124	zirabuo.bazar
94	zirabuo.bazar
117	zirabuo.bazar
210	zirabuo.bazar
193	zirabuo.bazar
112	zirabuo.bazar
127	zirabuo.bazar
156	zirabuo.bazar
163	zirabuo.bazar
179	zirabuo.bazar
205	zirabuo.bazar
136	zirabuo.bazar
151	zirabuo.bazar
157	zirabuo.bazar
134	zirabuo.bazar
164	zirabuo.bazar
191	zirabuo.bazar
213	zirabuo.bazar
221	zirabuo.bazar
100	zirabuo.bazar
106	zirabuo.bazar
119	zirabuo.bazar
177	zirabuo.bazar
192	zirabuo.bazar
102	zirabuo.bazar
128	zirabuo.bazar
161	zirabuo.bazar
155	zirabuo.bazar
162	zirabuo.bazar
188	zirabuo.bazar
225	zirabuo.bazar
92	zirabuo.bazar
132	zirabuo.bazar
143	zirabuo.bazar
222	zirabuo.bazar
103	zirabuo.bazar
135	zirabuo.bazar
175	zirabuo.bazar
209	zirabuo.bazar
217	zirabuo.bazar
148	zirabuo.bazar
168	zirabuo.bazar
198	zirabuo.bazar

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
118	zirabuo.bazar
143	zirabuo.bazar
147	zirabuo.bazar
161	zirabuo.bazar
197	zirabuo.bazar
100	zirabuo.bazar
163	zirabuo.bazar
169	zirabuo.bazar
205	zirabuo.bazar
95	zirabuo.bazar
102	zirabuo.bazar
103	zirabuo.bazar
117	zirabuo.bazar
126	zirabuo.bazar
193	zirabuo.bazar
200	zirabuo.bazar
214	zirabuo.bazar
99	zirabuo.bazar
164	zirabuo.bazar
135	zirabuo.bazar
188	zirabuo.bazar
170	zirabuo.bazar
225	zirabuo.bazar
93	zirabuo.bazar
142	zirabuo.bazar
146	zirabuo.bazar
180	zirabuo.bazar
132	zirabuo.bazar
179	zirabuo.bazar
206	zirabuo.bazar
209	zirabuo.bazar
222	zirabuo.bazar
110	zirabuo.bazar
128	zirabuo.bazar
148	zirabuo.bazar
151	zirabuo.bazar
119	zirabuo.bazar
134	zirabuo.bazar
217	zirabuo.bazar
218	zirabuo.bazar
105	zirabuo.bazar
123	zirabuo.bazar
124	zirabuo.bazar
191	zirabuo.bazar
210	zirabuo.bazar
213	zirabuo.bazar
106	zirabuo.bazar
112	zirabuo.bazar
174	zirabuo.bazar
178	zirabuo.bazar
186	zirabuo.bazar
187	zirabuo.bazar
168	zirabuo.bazar
175	zirabuo.bazar
177	zirabuo.bazar
94	zirabuo.bazar
127	zirabuo.bazar
133	zirabuo.bazar
136	zirabuo.bazar
162	zirabuo.bazar
92	zirabuo.bazar
152	zirabuo.bazar
155	zirabuo.bazar
156	zirabuo.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	185.117.154.144
Destination IP	46.101.70.183
Destination IP	66.70.211.246
Destination IP	77.73.68.161
Destination IP	142.4.205.47
Destination IP	5.132.191.104
Destination IP	142.4.205.47
Destination IP	128.52.130.209
Destination IP	142.4.205.47
Destination IP	217.12.210.54
Destination IP	46.101.70.183
Destination IP	138.197.25.214
Destination IP	176.126.70.119
Destination IP	82.196.9.45
Destination IP	63.231.92.27
Destination IP	193.183.98.66
Destination IP	91.217.137.37
Destination IP	104.238.186.189
Destination IP	69.164.196.21
Destination IP	91.217.137.37
Destination IP	139.59.23.241
Destination IP	45.32.160.206
Destination IP	87.98.175.85
Destination IP	217.12.210.54
Destination IP	158.69.239.167
Destination IP	82.196.9.45
Destination IP	69.164.196.21
Destination IP	91.217.137.37
Destination IP	45.32.160.206
Destination IP	159.89.249.249
Destination IP	163.172.185.51
Destination IP	51.254.25.115
Destination IP	128.52.130.209
Destination IP	163.53.248.170
Destination IP	193.183.98.66
Destination IP	146.185.176.36
Destination IP	82.196.9.45
Destination IP	82.141.39.32
Destination IP	96.47.228.108
Destination IP	167.99.153.82
Destination IP	96.47.228.108
Destination IP	81.2.241.148
Destination IP	185.121.177.177
Destination IP	185.208.208.141
Destination IP	89.35.39.64
Destination IP	146.185.176.36
Destination IP	167.99.153.82
Destination IP	212.24.98.54
Destination IP	69.164.196.21
Destination IP	176.126.70.119
Destination IP	158.69.239.167
Destination IP	63.231.92.27
Destination IP	185.121.177.177
Destination IP	142.4.204.111
Destination IP	193.183.98.66
Destination IP	89.35.39.64
Destination IP	104.37.195.178
Destination IP	178.17.170.179
Destination IP	46.101.70.183
Destination IP	167.99.153.82
Destination IP	146.185.176.36
Destination IP	169.239.202.202
Destination IP	142.4.205.47
Destination IP	81.2.241.148

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1032	dl2.exe
2764	dl2.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {3CB42924-2E0C-4805-89F0-82B0DE217017}
1⤵
- Suspicious use of SetWindowsHookEx
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1032-1-0x0000000002100000-0x0000000002130000-memory.dmp

Filesize
192KB

Download
memory/1032-8-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/1032-18-0x0000000000590000-0x0000000000690000-memory.dmp

Filesize
1024KB

Download
memory/2764-17-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/2764-10-0x00000000020E0000-0x0000000002110000-memory.dmp

Filesize
192KB

Download

Resubmissions

Analysis