{
	"id": "2eb68c98-a668-4616-9198-2d2fd77aa31a",
	"created_at": "2026-04-06T00:11:56.176937Z",
	"updated_at": "2026-04-10T03:20:00.513577Z",
	"deleted_at": null,
	"sha1_hash": "b20f982760d3f27a2f1d8dc6618c8ba6ee272391",
	"title": "In-depth analysis of the new Team9 malware family",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 181395,
	"plain_text": "In-depth analysis of the new Team9 malware family\r\nBy krijndemik\r\nPublished: 2020-06-02 · Archived: 2026-04-05 18:42:02 UTC\r\nAuthor: Nikolaos Pantazopoulos\r\nCo-author: Stefano Antenucci (@Antelox)\r\nAnd in close collaboration with NCC’s RIFT.\r\n1. Introduction\r\nPublicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar [1]’) appears to be a new\r\nmalware being developed by the group behind Trickbot. Even though the development of the malware appears to\r\nbe recent, the developers have already developed two components with rich functionality. The purpose of this blog\r\npost is to describe the functionality of the two components, the loader and the backdoor.\r\nAbout the Research and Intelligence Fusion Team (RIFT):\r\nRIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat\r\nintelligence, ranging from IOCs and detection rules to strategic reports on tomorrow’s threat landscape. Cyber\r\nsecurity is an arms race where both attackers and defenders continually update and improve their tools and ways\r\nof working. To ensure that our managed services remain effective against the latest threats, NCC Group operates a\r\nGlobal Fusion Center with Fox-IT at its core. This multidisciplinary team converts our leading cyber threat\r\nintelligence into powerful detection strategies.\r\n2. Early variant of Team9 loader\r\nWe assess that this is an earlier variant of the Team9 loader\r\n(35B3FE2331A4A7D83D203E75ECE5189B7D6D06AF4ABAC8906348C0720B6278A4) because of its\r\nsimplicity and the compilation timestamp. The other variant was compiled more recently and has additional\r\nfunctionality. It should be noted that in very early versions of the loader binaries\r\n(2342C736572AB7448EF8DA2540CDBF0BAE72625E41DAB8FFF58866413854CA5C), the developers were\r\nusing the Windows BITS functionality in order to download the backdoor. However, we believe that this\r\nfunctionality has been dropped.\r\nBefore proceeding to the technical analysis part, it is worth mentioning that the strings are not encrypted.\r\nSimilarly, the majority of the Windows API functions are not loaded dynamically.\r\nWhen the loader starts its execution, it checks if another instance of itself has infected the host already by\r\nattempting to read the value ‘BackUp Mgr’ in the ‘Run’ registry key\r\n‘Software\\Microsoft\\Windows\\CurrentVersion\\Run’ (Figure 1). If it exists, it validates if the current loaders file\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 1 of 19\n\npath is the same as the one that has already been set in the registry value’s data (BackUp Mgr). Assuming that all\r\nof the above checks were successful, the loader proceeds to its core functionality.\r\nFigure 1 – Loader verifies if it has already infect the host\r\nHowever, if any of the above checks do not meet the requirements then the loader does one of the following\r\nactions:\r\n1. Copy itself to the %APPDATA%\\Microsoft folder, add this file path in the registry ‘Run’ key under the\r\nvalue ‘BackUp Mgr’ and then execute the loader from the copied location.\r\n2. If the loader cannot access the %APPDATA% location or if the loader is running from this location already,\r\nthen it adds the current file path in the ‘Run’ registry key under the value ‘BackUp Mgr’ and executes the\r\nloader again from this location.\r\nWhen the persistence operation finishes, the loader deletes itself by writing a batch file in the Windows temporary\r\nfolder with the file name prefix ‘tmp’ followed by random digits. The batch file content:\r\n@echo off\r\nset Module=%1\r\n:Repeat\r\ndel %Module%\r\nif exist %Module% goto Repeat\r\ndel %0\r\nNext, the loader fingerprints the Windows architecture. This is a crucial step because the loader needs to know\r\nwhat version of the backdoor to download (32-bit or 64-bit). Once the Windows architecture has been identified,\r\nthe loader carries out the download.\r\nThe core functionality of the loader is to download the Team9 backdoor component. The loader contains two\r\n‘.bazar’ top-level domains which point to the Team9 backdoor. Each domain hosts two versions of the Team9\r\nbackdoor on different URIs, one for each Windows architecture (32-bit and 64-bit), the use of two domains is\r\nhighly likely to be a backup method.\r\nAny received files from the command and control server are sent in an encrypted format. In order to decrypt a file,\r\nthe loader uses a bitwise XOR decryption with the key being based on the infected host’s system time\r\n(Year/Month/Day) (Figure 2).\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 2 of 19\n\nFigure 2 – Generate XOR key based on infected host’s time\r\nAs a last step, the loader verifies that the executable file was decrypted successfully by validating the PE headers.\r\nIf the Windows architecture is 32-bit, the loader injects the received executable file into ‘calc.exe’ (Windows\r\ncalculator) using the ‘Process Hollowing’ technique. Otherwise, it writes the executable file to disk and executes\r\nit.\r\nThe following tables summarises the identified bazar domains and their URIs found in the early variants of the\r\nloader.\r\nURI Description\r\n/api/v108 Possibly downloads the 64-bit version of the Team9 backdoor\r\n/api/v107 Possibly downloads the 32-bit version of the Team9 backdoor\r\n/api/v5 Possibly downloads an updated 32-bit version of the Team9 loader\r\n/api/v6 Possibly downloads an updated 64-bit version of the Team9 loader\r\n/api/v7 Possibly downloads the 32-bit version of the Team9 backdoor\r\n/api/v8 Possibly downloads the 64-bit version of the Team9 backdoor\r\nTable 1 – Bazar URIs found in early variants of the loader\r\nThe table below (table 2) summarises the identified domains found in the early variants of the loader.\r\nBazar domains\r\nbestgame[.]bazar\r\nforgame[.]bazar\r\nzirabuo[.]bazar\r\ntallcareful[.]bazar\r\ncoastdeny[.]bazar\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 3 of 19\n\nTable 2 – Bazar domains found in early variants of the loader\r\nLastly, another interesting observation is the log functionality in the binary file that reveals the following project\r\nfile path:\r\nd:\\\\development\\\\team9\\\\team9_restart_loader\\\\team9_restart_loader\r\n3. Latest variant of Team9 loader\r\nIn this section, we describe the functionality of a second loader that we believe to be the latest variant of the\r\naforementioned Team9 loader. This assessment is based on three factors:\r\n1. Similar URIs in the backdoor requests\r\n2. Similar payload decryption technique\r\n3. Similar code blocks\r\nUnlike its previous version, the strings are encrypted and the majority of Windows API functions are loaded\r\ndynamically by using the Windows API hashing technique.\r\nOnce executed, the loader uses a timer in order to delay the execution. This is likely used as an anti-sandbox\r\nmethod. After the delayed time has passed, the loader starts executing its core functionality.\r\nBefore the malware starts interacting with the command and control server, it ensures that any other related files\r\nproduced by a previous instance of the loader will not cause any issues. As a result the loader appends the string\r\n‘_lyrt’ to its current file path and deletes any file with this name. Next, the loader searches for the parameter ‘-p’ in\r\nthe command line and if found, it deletes the scheduled task ‘StartDT’. The loader creates this scheduled task later\r\nfor persistence during execution. The loader also attempts to execute hijacked shortcut files, which will eventually\r\nexecute an instance of Team9 loader. This functionality is described later.\r\nThe loader performs a last check to ensure that the operating systems keyboard and language settings are not set to\r\nRussian and creates a mutex with a hardcoded name ‘ld_201127’. The latter is to avoid double execution of its\r\nown instance.\r\nAs mentioned previously, the majority of Windows API functions are loaded dynamically. However, in an attempt\r\nto bypass any API hooks set by security products, the loader manually loads ‘ntdll’ from disk, reads the opcodes\r\nfrom each API function and compares them with the ones in memory (Figure 3). If the opcodes are different, the\r\nloader assumes a hook has been applied and removes it. This applies only to 64-bit samples reviewed to date.\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 4 of 19\n\nFigure 3 – Scan for hooks in Windows API functions\r\nThe next stage downloads from the command and control server either the backdoor or an updated version of the\r\nloader. It is interesting to note that there are minor differences in the loader’s execution based on the identified\r\nWindows architecture and if the ‘-p’ parameter has been passed into the command line.\r\nAssuming that the ‘-p’ parameter has not been passed into the command line, the loader has two loops. One for\r\n32-bit and the other for 64-bit, which download an updated version of the loader. The main difference between the\r\ntwo loops is that in case of a Windows x64 infection, there is no check of the loader’s version.\r\nThe download process is the same with the previous variant, the loader resolves the command and control server\r\nIP address using a hardcoded list of DNS servers and then downloads the corresponding file. An interesting\r\naddition, in the latest samples, is the use of an alternative command and control server IP address, in case the\r\nprimary one fails. The alternative IP address is generated by applying a bitwise XOR operation to each byte of the\r\nresolved command and control IP address with the byte 0xFE. In addition, as a possible anti-behaviour method,\r\nthe loader verifies that the command and control server IP address is not ‘127.0.0.1’. Both of these methods are\r\nalso present in the latest Team9 backdoor variants.\r\nAs with the previous Team9 loader variant, the command and control server sends back the binary files in an\r\nencrypted format. The decryption process is similar with its previous variant but with a minor change in the XOR\r\nkey generation, the character ‘3’ is added between each hex digit of the day format (Figure 4). For example:\r\n332330332330330335331338 (ASCII format, host date: 2020-05-18)\r\nFigure 4 – Add the character ‘3’ in the generated XOR key\r\nIf the ‘-p’ parameter has been passed into the command line, the loader proceeds to download the Team9 backdoor\r\ndirectly from the command and control server. One notable addition is the process injection (hollow process\r\ninjection) when the backdoor has been successfully downloaded and decrypted. The loader injects the backdoor to\r\none of the following processes:\r\n1. Svchost\r\n2. Explorer\r\n3. cmd\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 5 of 19\n\nWhenever a binary file is successfully downloaded and properly decrypted, the loader adds or updates its\r\npersistence in the infected host. The persistence methods are available in table 3.\r\nPersistence\r\nMethod\r\nPersistence Method Description\r\nScheduled task\r\nThe loader creates two scheduled tasks, one for the updated loader (if any) and one for the\r\ndownloaded backdoor. The scheduled task names and timers are different.\r\nWinlogon\r\nhijack\r\nAdd the malware’s file path in the ‘Userinit’ registry value. As a result, whenever the user\r\nlogs in the malware is also executed.\r\nShortcut in the\r\nStartup folder\r\nThe loaders creates a shortcut, which points to the malware file, in the Startup folder. The\r\nname of the shortcut is ‘adobe’.\r\nHijack already\r\nexisting\r\nshortcuts\r\nThe loader searches for shortcut files in Desktop and its subfolders. If it finds one then it\r\ncopies the malware into the shortcut’s target location with the application’s file name and\r\nappends the string ‘__’ at the end of the original binary file name. Furthermore, the loader\r\ncreates a ‘.bin’ file which stores the file path, file location and parameters. The ‘.bin’ file\r\nstructure can be found in the Appendix section. When this structure is filled in with all\r\nrequired information, It is encrypted with the XOR key 0x61.\r\nTable 3 – Persistence methods loader\r\nThe following tables summarises the identified bazar domains and their URIs for this Team9 loader variant.\r\nURI Description\r\n/api/v117 Possibly downloads the 32-bit version of the Team9 loader\r\n/api/v118 Possibly downloads the 64-bit version of the Team9 loader\r\n/api/v119 Possibly downloads the 32-bit version of the Team9 backdoor\r\n/api/v120 Possibly downloads the 64-bit version of the Team9 backdoor\r\n/api/v85 Possibly downloads the 32-bit version of the Team9 loader\r\n/api/v86 Possibly downloads the 64-bit version of the Team9 loader\r\n/api/v87 Possibly downloads the 32-bit version of the Team9 backdoor\r\n/api/v88 Possibly downloads the 64-bit version of the Team9 backdoor\r\nTable 4 – Identified URIs for Team9 loader variant\r\nBazar domain\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 6 of 19\n\nbestgame[.]bazar\r\nforgame[.]bazar\r\nTable 5 – Identified domains for Team9 loader variant\r\n4. Team9 backdoor\r\nWe are confident that this is the backdoor which the loader installs onto the compromised host. In addition, we\r\nbelieve that the first variants of the Team9 backdoor started appearing in the wild in late March 2020. Each variant\r\ndoes not appear to have major changes and the core of the backdoor remains the same.\r\nDuring analysis, we identified the following similarities between the backdoor and its loader:\r\n1. Creates a mutex with a hardcoded name in order to avoid multiple instances running at the same time (So\r\nfar the mutex names which we have identified are ‘mn_185445’ and ‘{589b7a4a-3776-4e82-8e7d-435471a6c03c}’)\r\n2. Verifies that the keyboard and the operating system language is not Russian\r\n3. Use of Emercoin domains with a similarity in the domain name choice\r\nFurthermore, the backdoor generates a unique ID for the infected host. The process that it follows is:\r\n1. Find the creation date of ‘C:\\Windows’ (Windows FILETIME structure format). The result is then\r\nconverted from a hex format to an ASCII representation. An example is shown in figures 5 (before\r\nconversion) and 6 (after conversion).\r\n2. Repeat the same process but for the folder ‘C:\\Windows\\System32’\r\n3. Append the second string to the first with a bullet point as a delimiter. For example, 01d3d1d8\r\nb10c2916.01d3d1d8 b5b1e079\r\n4. Get the NETBIOS name and append it to the previous string from step 3 along with a bullet point as a\r\ndelimiter. For example: 01d3d1d8 b10c2916.01d3d1d8 b5b1e079.DESKTOP-4123EEB.\r\n5. Read the volume serial number of C: drive and append it to the previous string. For example: 01d3d1d8\r\nb10c2916.01d3d1d8 b5b1e079.DESKTOP-SKCF8VA.609fbbd5\r\n6. Hash the string from step 5 using the MD5 algorithm. The output hash is the bot ID.\r\nNote: In a few samples, the above algorithm is different. The developers use hard-coded dates, the Windows\r\ndirectory file paths in a string format (‘C:\\Windows’ and ‘C:\\Windows\\system32’) and the NETBIOS name. Based\r\non the samples’ functionality, there are many indications that these binary files were created for debugging\r\npurposes.\r\nFigure 5 – Before conversion\r\nFigure 6 – After conversion\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 7 of 19\n\n4.1 Network communication\r\nThe backdoor appears to support network communication over ports 80 (HTTP) and 443(HTTPS). In recent\r\nsamples, a certificate is issued from the infected host for communication over HTTPS. Each request to the\r\ncommand and control server includes at least the following information:\r\n1. A URI path for requesting tasks (/2) or sending results (/3).\r\n2. Group ID. This is added in the ‘Cookie’ header.\r\nLastly, unlike the loader which decrypts received network replies from the command and control server using the\r\nhost’s date as the key, the Team9 backdoor uses the bot ID as the key.\r\n4.2 Bot commands\r\nThe backdoor supports a variety of commands. These are summarised in the table below.\r\nCommand\r\nID\r\nDescription Parameters\r\n0\r\nSet delay time for the command and\r\ncontrol server requests\r\nTime to delay the requests\r\n1 Collect infected host information  Memory buffer to fill in the collected data\r\n10\r\nDownload file from an address and\r\ninject into a process using either\r\nhollowing process injection or\r\nDoppelgänging process injection\r\nDWORD value that represents the\r\ncorresponding execution method. This\r\nincludes:\r\nProcess hollowing injection\r\nProcess Doppelgänging injection\r\nWrite the file into disk and execute it\r\nProcess mask – DWORD value that\r\nrepresents the process name to inject the\r\npayload. This can be one of the following:\r\n1. Explorer\r\n2. Cmd\r\n3. Calc (Not used in all variants)\r\n4. Svchost\r\n5. notepad\r\nAddress from which the file is downloaded\r\nCommand line\r\n11 Download a DLL file and execute it\r\nTimeout value\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 8 of 19\n\nAddress to download the DLL\r\nCommand line\r\nTimeout time\r\n12\r\nExecute a batch file received from the\r\ncommand and control server\r\nDWORD value to determine if the batch\r\nscript is to be stored into a Windows pipe\r\n(run from memory) or in a file into disk\r\nTimeout value.\r\nBatch file content\r\n13\r\nExecute a PowerShell script received\r\nfrom the command and control server\r\nDWORD value to determine if the\r\nPowerShell script is to be stored into a\r\nWindows pipe (run from memory) or in a\r\nfile into disk\r\nTimeout value.\r\nPowerShell script content\r\n14\r\nReports back to the command and\r\ncontrol server and terminates any\r\nhandled tasks\r\nNone\r\n15 Terminate a process PID of the process to terminate\r\n16\r\nUpload a file to the command and\r\ncontrol server. Note: Each variant of\r\nthe backdoor has a set file size they can\r\nhandle.\r\nPath of the file to read and upload to the\r\ncommand and control server.\r\n100 Remove itself None\r\nTable 6 – Supported backdoor commands\r\nTable 7 summarises the report structure of each command when it reports back (POST request) to the command\r\nand control server. Note: In a few samples, the backdoor reports the results to an additional IP address\r\n(185.64.106[.]73) If it cannot communicate with the Bazar domains.\r\nCommand ID/Description Command execution results structure\r\n1/ Collect infected host information The POST request includes the following information:\r\nOperating system information\r\nOperating system architecture\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 9 of 19\n\nNETBIOS name of the infected host\r\nUsername of the infected user\r\nBackdoor’s file path\r\nInfected host time zone\r\nProcesses list\r\nKeyboard language\r\nAntivirus name and installed applications\r\nInfected host’s external IP\r\nShared drives\r\nShared drives in the domain\r\nTrust domains\r\nInfected host administrators\r\nDomain admins\r\n11/ Download a DLL file and execute it\r\nThe POST request includes the following parameters:\r\nCommand execution errors (Passed in the\r\nparameter ‘err’)\r\nProcess identifier (Passed in the ‘pid’ parameter)\r\nCommand execution output (Passed in the\r\nparameter ‘stdout’, if any)\r\nAdditional information from the command\r\nexecution (Passed in the parameter ‘msg’, if any)\r\n12/ Execute a batch file received from the\r\ncommand and control server\r\nSame as the previous command (11/ Download a DLL file\r\nand execute it)\r\n13/ Execute a PowerShell script received from\r\nthe command and control server\r\nSame as the previous command (11/ Download a DLL file\r\nand execute it)\r\n14/ Reports back to the command and control\r\nserver and terminate any handled tasks\r\nPOST request with the string ‘ok’\r\n15/ Terminate a process\r\nSame as the previous command (11/ Download a DLL file\r\nand execute it)\r\n16/ Upload a file to the command and control\r\nserver\r\nNo parameters. The file’s content is sent in a POST\r\nrequest.\r\n100/ Remove itself\r\nPOST request with the string ‘ok’ or ‘process termination\r\nerror’\r\nTable 7 – Report structure\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 10 of 19\n\n5. Appendix\r\n5.1 struct shortcut_bin\r\nstruct shortcut_bin\r\n{\r\nBYTE junk_data[434];\r\nBYTE file_path[520];\r\nBYTE filepath_dir[520];\r\nBYTE file_loader_parameters[1024];\r\n};\r\n5.2 IOCs\r\nFile hashes\r\nDescription SHA-256 Hash\r\nTeam9\r\nbackdoor\r\n(x64)\r\n4F258184D5462F64C3A752EC25FB5C193352C34206022C0755E48774592B7707\r\nTeam9\r\nbackdoor\r\n(x64)\r\nB10DCEC77E00B1F9B1F2E8E327A536987CA84BCB6B0C7327C292F87ED603837D\r\nTeam9\r\nbackdoor\r\n(x64)\r\n363B6E0BC8873A6A522FE9485C7D8B4CBCFFA1DA61787930341F94557487C5A8\r\nTeam9\r\nbackdoor\r\n(x64)\r\nF4A5FE23E21B6B7D63FA2D2C96A4BC4A34B40FD40A921B237A50A5976FE16001\r\nTeam9\r\nbackdoor\r\n(x64)\r\nA0D0CFA8BF0BC5B8F769D8B64EAB22D308B108DD8A4D59872946D69C3F8C58A5\r\nTeam9\r\nbackdoor\r\n(x64)\r\n059519E03772D6EEEA9498625AE8B8B7CF2F01FC8179CA5D33D6BCF29D07C9F4\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 11 of 19\n\nTeam9\r\nbackdoor\r\n(x64)\r\n0F94B77892F22D0A0E7095B985F30B5EDBE17AB5B8D41F798EF0C708709636F4\r\nTeam9\r\nbackdoor\r\n(x64)\r\n2F0F0956628D7787C62F892E1BD9EDDA8B4C478CF8F1E65851052C7AD493DC28\r\nTeam9\r\nbackdoor\r\n(x64)\r\n37D713860D529CBE4EAB958419FFD7EBB3DC53BB6909F8BD360ADAA84700FAF2\r\nTeam9\r\nbackdoor\r\n(x64)\r\n3400A7DF9EC3DC8283D5AC7ACCB6935691E93FEDA066CC46C6C04D67F7F87B2B\r\nTeam9\r\nbackdoor\r\n(x64)\r\n5974D938BC3BBFC69F68C979A6DC9C412970FC527500735385C33377AB30373A\r\nTeam9\r\nbackdoor\r\n(x64)\r\nC55F8979995DF82555D66F6B197B0FBCB8FE30B431FF9760DEAE6927A584B9E3\r\nTeam9\r\nbackdoor\r\n(x86)\r\n94DCAA51E792D1FA266CAE508C2C62A2CA45B94E2FDFBCA7EA126B6CD7BC5B21\r\nTeam9\r\nbackdoor\r\n(x86)\r\n4EE0857D475E67945AF2C5E04BE4DEC3D6D3EB7C78700F007A7FF6F8C14D4CB3\r\nTeam9\r\nbackdoor\r\n(x86)\r\n8F552E9CA2BEDD90CE9935A665758D5DE2E86B6FDA32D98918534A8A5881F91A\r\nTeam9\r\nbackdoor\r\n(x86)\r\nAE7DAA7CE3188CCFE4069BA14C486631EEA9505B7A107A17DDEE29061B0EDE99\r\nTeam9\r\nbackdoor\r\n(x86)\r\nF3C6D7309F00CC7009BEA4BE6128F0AF2EA6B87AB7A687D14092F85CCD35C1F5\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 12 of 19\n\nTeam9\r\nbackdoor\r\n(x86)\r\n6CBF7795618FB5472C5277000D1C1DE92B77724D77873B88AF3819E431251F00\r\nTeam9\r\nbackdoor\r\n(x86)\r\nB0B758E680E652144A78A7DDECC027D4868C1DC3D8D7D611EC4D3798358B0CE5\r\nTeam9\r\nbackdoor\r\n(x86)\r\n959BA7923992386ABF2E27357164672F29AAC17DDD4EE1A8AD4C691A1C566568\r\nTeam9\r\nbackdoor\r\n(x86)\r\n3FE61D87C9454554B0CE9101F95E18ABAD8AC6C62DCC88DC651DDFB20568E060\r\nTeam9 loader\r\n(x64)\r\nB3764EF42D526A1AE1A4C3B0FE198F35C6BC5C07D5F155D15060B94F8F6DC695\r\nTeam9 loader\r\n(x64)\r\n210C51AAB6FC6C52326ECE9DBD3DDAB5F58E98432EF70C46936672C79542FBD0\r\nTeam9 loader\r\n(x64)\r\n11B5ADAEFD04FFDACEB9539F95647B1F51AEC2117D71ECE061F15A2621F1ECE9\r\nTeam9 loader\r\n(x64)\r\n534D60392E0202B24D3FDAF992F299EF1AF1FB5EFEF0096DD835FE5C4E30B0FA\r\nTeam9 loader\r\n(x64)\r\n9D3A265688C1A098DD37FE77C139442A8EB02011DA81972CEDDC0CF4730F67CF\r\nTeam9 loader\r\n(x64)\r\nCE478FDBD03573076394AC0275F0F7027F44A62A306E378FE52BEB0658D0B273\r\nTeam9 loader\r\n(x64)\r\n5A888D05804D06190F7FC408BEDE9DA0423678C8F6ECA37ECCE83791DE4DF83D\r\nTeam9 loader\r\n(x64)\r\nEB62AD35C613A73B0BD28C1779ACE80E2BA587A7F8DBFEC16CF5BF520CAA71EE\r\nTeam9 loader\r\n(x64)\r\nA76426E269A2DEFABCF7AEF9486FF521C6110B64952267CFE3B77039D1414A41\r\nTeam9 loader\r\n(x64)\r\n65CDBDD03391744BE87AC8189E6CD105485AB754FED0B069A1378DCA3E819F28\r\nTeam9 loader\r\n(x64)\r\n38C9C3800DEA2761B7FAEC078E4BBD2794B93A251513B3F683AE166D7F186D19\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 13 of 19\n\nTeam9 loader\r\n(x64)\r\n8F8673E6C6353187DBB460088ADC3099C2F35AD868966B257AFA1DF782E48875\r\nTeam9 loader\r\n(x86)\r\n35B3FE2331A4A7D83D203E75ECE5189B7D6D06AF4ABAC8906348C0720B6278A4\r\nTeam9 loader\r\n(x86)\r\n65E44FC8527204E88E38AB320B3E82694D1548639565FDAEE53B7E0F963D3A92\r\nTeam9 loader\r\n(x86)\r\nF53509AF91159C3432C6FAF4B4BE2AE741A20ADA05406F9D4E9DDBD48C91EBF9\r\nTeam9 loader\r\n(x86)\r\n73339C130BB0FAAD27C852F925AA1A487EADF45DF667DB543F913DB73080CD5D\r\nTeam9 loader\r\n(x86)\r\n2342C736572AB7448EF8DA2540CDBF0BAE72625E41DAB8FFF58866413854CA5C\r\nTeam9 loader\r\n(x86)\r\n079A99B696CC984375D7A3228232C44153A167C1936C604ED553AC7BE91DD982\r\nTeam9 loader\r\n(x86)\r\n0D8AEACF4EBF227BA7412F8F057A8CDDC54021846092B635C8D674B2E28052C6\r\nTeam9 loader\r\n(x86)\r\nF83A815CE0457B50321706957C23CE8875318CFE5A6F983A0D0C580EBE359295\r\nTeam9 loader\r\n(x86)\r\n3FA209CD62BACC0C2737A832E5F0D5FD1D874BE94A206A29B3A10FA60CEB187D\r\nTeam9 loader\r\n(x86)\r\n05ABD7F33DE873E9630F9E4F02DBD0CBC16DD254F305FC8F636DAFBA02A549B3\r\nTable 8 – File hashes\r\nIdentified Emercoin domains\r\nDomains\r\nnewgame[.]bazar\r\nthegame[.]bazar\r\nportgame[.]bazar\r\nworkrepair[.]bazar\r\nrealfish[.]bazar\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 14 of 19\n\neventmoult[.]bazar\r\nbestgame[.]bazar\r\nforgame[.]bazar\r\nZirabuo[.]bazar\r\nTable 9 – Identified Emercoin domains\r\nCommand and Control IPs\r\nC\u0026C IPs\r\n34.222.222[.]126\r\n71.191.52[.]192\r\n77.213.120[.]90\r\n179[.]43.134.164\r\n185[.]65.202.62\r\n220[.]32.32.128\r\n34[.]222.222.126\r\n51[.]81.113.26\r\n71[.]191.52.192\r\n77[.]213.120.90\r\n85[.]204.116.58\r\nTable 10 – Command and Control IPs\r\nIdentified DNS IPs\r\nDNS IPs\r\n51[.]254.25.115\r\n193[.]183.98.66\r\n91[.]217.137.37\r\n87[.]98.175.85\r\n185[.]121.177.177\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 15 of 19\n\n169[.]239.202.202\r\n198[.]251.90.143\r\n5[.]132.191.104\r\n111[.]67.20.8\r\n163[.]53.248.170\r\n142[.]4.204.111\r\n142[.]4.205.47\r\n158[.]69.239.167\r\n104[.]37.195.178\r\n192[.]99.85.244\r\n158[.]69.160.164\r\n46[.]28.207.199\r\n31[.]171.251.118\r\n81[.]2.241.148\r\n82[.]141.39.32\r\n50[.]3.82.215\r\n46[.]101.70.183\r\n5[.]45.97.127\r\n130[.]255.78.223\r\n144[.]76.133.38\r\n139[.]59.208.246\r\n172[.]104.136.243\r\n45[.]71.112.70\r\n163[.]172.185.51\r\n5[.]135.183.146\r\n51[.]255.48.78\r\n188[.]165.200.156\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 16 of 19\n\n147[.]135.185.78\r\n92[.]222.97.145\r\n51[.]255.211.146\r\n159[.]89.249.249\r\n104[.]238.186.189\r\n139[.]59.23.241\r\n94[.]177.171.127\r\n45[.]63.124.65\r\n212[.]24.98.54\r\n178[.]17.170.179\r\n185[.]208.208.141\r\n82[.]196.9.45\r\n146[.]185.176.36\r\n89[.]35.39.64\r\n89[.]18.27.167\r\n77[.]73.68.161\r\n185[.]117.154.144\r\n176[.]126.70.119\r\n139[.]99.96.146\r\n217[.]12.210.54\r\n185[.]164.136.225\r\n192[.]52.166.110\r\n63[.]231.92.27\r\n66[.]70.211.246\r\n96[.]47.228.108\r\n45[.]32.160.206\r\n128[.]52.130.209\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 17 of 19\n\n35[.]196.105.24\r\n172[.]98.193.42\r\n162[.]248.241.94\r\n107[.]172.42.186\r\n167[.]99.153.82\r\n138[.]197.25.214\r\n69[.]164.196.21\r\n94[.]247.43.254\r\n94[.]16.114.254\r\n151[.]80.222.79\r\n176[.]9.37.132\r\n192[.]71.245.208\r\n195[.]10.195.195\r\nTable 11 – Identified DNS IPs\r\nMutexes\r\nComponent Mutex name\r\nTeam9 backdoor mn_185445\r\nTeam9 backdoor {589b7a4a-3776-4e82-8e7d-435471a6c03c}\r\nTeam9 loader ld_201127\r\nTable 12 – Mutex names Team9 components\r\nHost IOCs\r\n1. Files ending with the string ‘_lyrt’\r\n2. Scheduled tasks with names ‘StartAT’ and ‘StartDT’\r\n3. Shortcut with file name ‘adobe’ in the Windows ‘StartUp’ folder\r\n4. Registry value name ‘BackUp Mgr’ in the ‘Run’ registry key\r\nNetwork detection\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 18 of 19\n\nalert dns $HOME_NET any -\u003e any 53 (msg:”FOX-SRT – Suspicious – Team9 Emercoin DNS Query Observed”;\r\ndns_query; content:”.bazar”; nocase; dns_query;\r\npcre:”/(newgame|thegame|portgame|workrepair|realfish|eventmoult|bestgame|forgame|zirabuo)\\.bazar/i”;\r\nthreshold:type limit, track by_src, count 1, seconds 3600; classtype:trojan-activity; metadata:created_at 2020-05-\r\n28; metadata:ids suricata; sid:21003029; rev:3;)\r\nSource(s):\r\n[1] https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\nSource: https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nhttps://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/"
	],
	"report_names": [
		"in-depth-analysis-of-the-new-team9-malware-family"
	],
	"threat_actors": [],
	"ts_created_at": 1775434316,
	"ts_updated_at": 1775791200,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b20f982760d3f27a2f1d8dc6618c8ba6ee272391.pdf",
		"text": "https://archive.orkl.eu/b20f982760d3f27a2f1d8dc6618c8ba6ee272391.txt",
		"img": "https://archive.orkl.eu/b20f982760d3f27a2f1d8dc6618c8ba6ee272391.jpg"
	}
}