bazarbackdoor | 8ef176944e54df85db028979ceb66b2b6e807b1615f4254c273d4b433caec0dd

max time kernel
281s
max time network
284s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-11-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl2.exe
Size

849KB
MD5

c2055b7fbaa041d9f68b9d5df9b45edd
SHA1

e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
SHA256

342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
SHA512

18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
SSDEEP

12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2

Score

10^/10

bazarbackdoor backdoor

Malware Config

Signatures

BazarBackdoor 22 IoCs

Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

backdoor bazarbackdoor

description	flow	ioc	Process
	84	zirabuo.bazar	Process not Found
	88	zirabuo.bazar	Process not Found
	89	zirabuo.bazar	Process not Found
	90	zirabuo.bazar	Process not Found
	95	zirabuo.bazar	Process not Found
	100	zirabuo.bazar	Process not Found
	69	zirabuo.bazar	Process not Found
	75	zirabuo.bazar	Process not Found
	103	zirabuo.bazar	Process not Found
	107	zirabuo.bazar	Process not Found
	79	zirabuo.bazar	Process not Found
	96	zirabuo.bazar	Process not Found
	99	zirabuo.bazar	Process not Found
Key value queried		\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation	taskmgr.exe
	74	zirabuo.bazar	Process not Found
	83	zirabuo.bazar	Process not Found
	85	zirabuo.bazar	Process not Found
	108	zirabuo.bazar	Process not Found
	71	zirabuo.bazar	Process not Found
	72	zirabuo.bazar	Process not Found
	80	zirabuo.bazar	Process not Found
	104	zirabuo.bazar	Process not Found

Bazarbackdoor family
bazarbackdoor

Tries to connect to .bazar domain 21 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
80	zirabuo.bazar
84	zirabuo.bazar
90	zirabuo.bazar
95	zirabuo.bazar
103	zirabuo.bazar
74	zirabuo.bazar
75	zirabuo.bazar
79	zirabuo.bazar
89	zirabuo.bazar
83	zirabuo.bazar
85	zirabuo.bazar
88	zirabuo.bazar
99	zirabuo.bazar
104	zirabuo.bazar
108	zirabuo.bazar
69	zirabuo.bazar
72	zirabuo.bazar
96	zirabuo.bazar
71	zirabuo.bazar
100	zirabuo.bazar
107	zirabuo.bazar

Unexpected DNS network traffic destination 21 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	91.217.137.37
Destination IP	51.254.25.115
Destination IP	185.121.177.177
Destination IP	46.28.207.199
Destination IP	51.254.25.115
Destination IP	87.98.175.85
Destination IP	82.141.39.32
Destination IP	192.99.85.244
Destination IP	158.69.239.167
Destination IP	169.239.202.202
Destination IP	104.37.195.178
Destination IP	158.69.160.164
Destination IP	193.183.98.66
Destination IP	142.4.204.111
Destination IP	31.171.251.118
Destination IP	198.251.90.143
Destination IP	5.132.191.104
Destination IP	81.2.241.148
Destination IP	111.67.20.8
Destination IP	163.53.248.170
Destination IP	142.4.205.47

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5280	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	5280	taskmgr.exe
Token: SeSystemProfilePrivilege	5280	taskmgr.exe
Token: SeCreateGlobalPrivilege	5280	taskmgr.exe
Token: SeBackupPrivilege	1428	svchost.exe
Token: SeRestorePrivilege	1428	svchost.exe
Token: SeSecurityPrivilege	1428	svchost.exe
Token: SeTakeOwnershipPrivilege	1428	svchost.exe
Token: 35	1428	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe
5280	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1196	dl2.exe
1628	dl2.exe
4600	dl2.exe

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Users\Admin\AppData\Local\Temp\dl2.exe
C:\Users\Admin\AppData\Local\Temp\dl2.exe {7A47848C-37B8-4D4E-8B80-565135B6F845}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- BazarBackdoor
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5280

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Users\Admin\AppData\Local\Temp\dl2.exe
"C:\Users\Admin\AppData\Local\Temp\dl2.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-8-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1196-1-0x0000000002150000-0x0000000002180000-memory.dmp

Filesize
192KB

Download
memory/1196-18-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1628-10-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/1628-17-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/4600-34-0x00000000005F0000-0x0000000000620000-memory.dmp

Filesize
192KB

Download
memory/5280-28-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-29-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-30-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-27-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-26-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-25-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-21-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-20-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-19-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download
memory/5280-31-0x000001F270CF0000-0x000001F270CF1000-memory.dmp

Filesize
4KB

Download