We will analyze BazarLoader.
BazarLoader(BazaLoader) is a backdoor Trojan which is designed to collect sensitive information, control and deliver additional malware on the infected machine. The malware has been identified as Team9 malware family which was tied to group responsible for developing Trickbot.
In the recent campaign, it utilizes combination of phishing email and the call center to force the victim to download a malicious document for the initial infection vector.
We will analyze Vidar Infostealer, specifically for infostealing capabilities.
Vidar is an infostealer which gets distributed through an attachment of phishing email, cracked version of commercial software, or keygen program.
Vidar is known to steal following informations from infected machines.
Our sample for this malware drops quite a few executables, which we will not cover all in this analysis. In this analysis we will go over b7j26HFyAZ.exe(main executable), metina_3.exe, and metina_4.exe.
As always, we will conduct this analysis in our VMware Windows 10 guest box with the following tools.
In this analysis, we will go over anti-analysis techniques that was utilized within this Dridex Sample.
Dridex is a Banking Trojan, which was originally found around 2014. The malware is known to be constantly evolving through additions of new features and upgrades. Because of the constant updates, this malware is known to be one of the most sophiscated malware.
One of the infection chain Dridex is currently known for is below.
In this Analysis, we will go over what I saw with my recent deepdive of njRAT.
njRAT, also known as Bladabind, is a Remote Access Trojan(RAT) which is known for it’s infostealing capabilities. njRAT is easily accessible malware that is utilized widely within the malware community.
njRAT general infection flow is summarized below.
In this analysis, I will show what I saw in my hands on analysis of the malware. I’m still a novice in malware analysis, but I’m hoping things I see in this analysis can help other fellow analysts who may be starting out just like me.
Qakbot first came to known as Banking Trojan, mostly for credential stealing. However in the recent campaign from 2020, the malware got utilized more for post-exploitation deliveries such as Cobalt Strike. The usage is very similar to what we saw with Emotet and other modular malwares.
Qakbot’s infection flow is summarized below.