bazarloader | a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd

General

Target

DocumentPreview.exe
Size

259KB
MD5

343a2579cafed501bcad9ad2ebd010e6
SHA1

2462cbff6243ba3eb179aa4f799d1a6fc41dac18
SHA256

a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd
SHA512

7adeb12f79dd63d91c5cc2864fa15ed48605e122a4a968993f95e986d84bf33baf4c02344ce957e25af2ff5270fab6af211b10947f47a6127b445ce8b5474e48

Score

10^/10

Bazar Loader 12 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

Processes:

DocumentPreview.exe

description	flow	ioc
HTTP URL	17	https://66.70.218.37/api/v86
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\My	DocumentPreview.exe
HTTP URL	5	https://86.104.194.108/api/v86
HTTP URL	10	https://217.12.209.44/api/v86
HTTP URL	13	https://194.5.249.109/api/v86
HTTP URL	14	https://194.5.249.109/api/v86
HTTP URL	16	https://66.70.218.37/api/v86
HTTP URL	8	https://86.104.194.108/api/v86
HTTP URL	9	https://86.104.194.108/api/v86
HTTP URL	11	https://217.12.209.44/api/v86
HTTP URL	12	https://217.12.209.44/api/v86
HTTP URL	15	https://194.5.249.109/api/v86

Executes dropped EXE 1 IoCs

Processes:

byespqnb.exe

pid process

1572 byespqnb.exe

pid	process
1572	byespqnb.exe

Tries to connect to .bazar domain 11 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

pid	process
1588	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1588 wrote to memory of 1572	1588	cmd.exe	byespqnb.exe
PID 1588 wrote to memory of 1572	1588	cmd.exe	byespqnb.exe
PID 1588 wrote to memory of 1572	1588	cmd.exe	byespqnb.exe

C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe
"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"
1⤵
- Bazar Loader
PID:112

C:\Users\Admin\AppData\Local\Temp\byespqnb.exe
"C:\Users\Admin\AppData\Local\Temp\byespqnb.exe" -z {834E8EE4-0C09-469A-878E-97B1A09282E9}
2⤵
- Executes dropped EXE
PID:1572

C:\Users\Admin\AppData\Local\Temp\byespqnb.exe

MD5
343a2579cafed501bcad9ad2ebd010e6

SHA1
2462cbff6243ba3eb179aa4f799d1a6fc41dac18

SHA256
a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd

SHA512
7adeb12f79dd63d91c5cc2864fa15ed48605e122a4a968993f95e986d84bf33baf4c02344ce957e25af2ff5270fab6af211b10947f47a6127b445ce8b5474e48

Download Submit
\Users\Admin\AppData\Local\Temp\byespqnb.exe

MD5
343a2579cafed501bcad9ad2ebd010e6

SHA1
2462cbff6243ba3eb179aa4f799d1a6fc41dac18

SHA256
a94591ab207cc7cfb86586e50fa23c74b660bbdeab183360671973f2c63c2fcd

SHA512
7adeb12f79dd63d91c5cc2864fa15ed48605e122a4a968993f95e986d84bf33baf4c02344ce957e25af2ff5270fab6af211b10947f47a6127b445ce8b5474e48

Download Submit
memory/112-0-0x00000000006F0000-0x0000000000711000-memory.dmp

Filesize
132KB

Download
memory/1572-2-0x0000000000000000-mapping.dmp

Download
memory/1572-3-0x0000000000000000-mapping.dmp

Download
memory/1572-5-0x00000000000F0000-0x0000000000111000-memory.dmp

Filesize
132KB

Download