Analysis
-
max time kernel
141s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-03-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
d7b8b4a606c8b2dfebfb882afa35bca7.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
d7b8b4a606c8b2dfebfb882afa35bca7.dll
Resource
win10v2004-20231215-en
General
-
Target
d7b8b4a606c8b2dfebfb882afa35bca7.dll
-
Size
1.2MB
-
MD5
d7b8b4a606c8b2dfebfb882afa35bca7
-
SHA1
e276135a072675aa65b37a0cfd576e1f3637604e
-
SHA256
bd1182eb3595956ac524dc8d13e1df4bc1d9a0f8e7f2e14d2331bb26750d1df9
-
SHA512
d0f3b5e8a8ab94c808929cfefdf33e5ba5e39f587a96ed5222222b618e2a1ed2b52e20ad3b49d0dc845f24800815572ddbe4df7ba4172c962625835136ed6960
-
SSDEEP
24576:rHvFVj8+YADTpPIeVCMaKoUo5/IyXZHa/L:/Y+YuTpPVPBwW
Malware Config
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
Bazar/Team9 Loader payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2908-0-0x00000000276A0000-0x00000000276DE000-memory.dmp BazarLoaderVar5 behavioral2/memory/2908-1-0x00007FFEF6C00000-0x00007FFEF6D81000-memory.dmp BazarLoaderVar5 behavioral2/memory/2908-3-0x00000000276A0000-0x00000000276DE000-memory.dmp BazarLoaderVar5 -
Tries to connect to .bazar domain 4 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
Processes:
flow ioc 57 greencloud46a.bazar 66 whitestorm9p.bazar 71 yellowdownpour81.bazar 72 yellowdownpour81.bazar -
Unexpected DNS network traffic destination 4 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 194.36.144.87 Destination IP 195.10.195.195 Destination IP 195.10.195.195 Destination IP 195.10.195.195 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
description flow ioc HTTP URL 50 https://api.opennicproject.org/geoip/?bare&ipv=4