bazarloader | 030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5

General

Target

DocumentPreview.exe
Size

302KB
MD5

7436b02a8347ca737c0dcefc3cb9eb39
SHA1

1633ce9565cb4a858a01a7ee2349a2ba9e62bee2
SHA256

030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5
SHA512

ce01339bc698c8afc9c828d5f64365ef26b82b8aac9b538283d50e16ce7ae37e7457d3487b35c284b2c14c31a87fc86f3a5ad57eafcd474ddbbd45d4d4ed3244

Score

10^/10

Bazar Loader 13 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

Processes:

DocumentPreview.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\My	DocumentPreview.exe
HTTP URL	11	https://78.108.216.13/api/v86
HTTP URL	15	https://217.12.209.44/api/v86
HTTP URL	16	https://217.12.209.44/api/v86
HTTP URL	17	https://185.99.2.191/api/v86
HTTP URL	14	https://217.12.209.44/api/v86
HTTP URL	18	https://185.99.2.191/api/v86
HTTP URL	19	https://185.99.2.191/api/v86
HTTP URL	6	https://51.77.112.254/api/v86
HTTP URL	9	https://51.77.112.254/api/v86
HTTP URL	10	https://51.77.112.254/api/v86
HTTP URL	12	https://78.108.216.13/api/v86
HTTP URL	13	https://78.108.216.13/api/v86

Executes dropped EXE 1 IoCs

Processes:

kfusadqe.exe

pid process

1544 kfusadqe.exe

pid	process
1544	kfusadqe.exe

Tries to connect to .bazar domain 12 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

pid	process
1584	cmd.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 1584 wrote to memory of 1544	1584	cmd.exe	kfusadqe.exe
PID 1584 wrote to memory of 1544	1584	cmd.exe	kfusadqe.exe
PID 1584 wrote to memory of 1544	1584	cmd.exe	kfusadqe.exe

C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe
"C:\Users\Admin\AppData\Local\Temp\DocumentPreview.exe"
1⤵
- Bazar Loader
PID:1508

C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe
"C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe" -z {3B0C56AA-928A-414D-B82D-5FB923B4D898}
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\kfusadqe.exe

MD5
7436b02a8347ca737c0dcefc3cb9eb39

SHA1
1633ce9565cb4a858a01a7ee2349a2ba9e62bee2

SHA256
030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5

SHA512
ce01339bc698c8afc9c828d5f64365ef26b82b8aac9b538283d50e16ce7ae37e7457d3487b35c284b2c14c31a87fc86f3a5ad57eafcd474ddbbd45d4d4ed3244

Download Submit
\Users\Admin\AppData\Local\Temp\kfusadqe.exe

MD5
7436b02a8347ca737c0dcefc3cb9eb39

SHA1
1633ce9565cb4a858a01a7ee2349a2ba9e62bee2

SHA256
030b3d2ebc2b5219e2f616396539999621381bcd7af0b5c3d94059c08b8d57b5

SHA512
ce01339bc698c8afc9c828d5f64365ef26b82b8aac9b538283d50e16ce7ae37e7457d3487b35c284b2c14c31a87fc86f3a5ad57eafcd474ddbbd45d4d4ed3244

Download Submit
memory/1508-0-0x0000000000120000-0x0000000000146000-memory.dmp

Filesize
152KB

Download
memory/1508-1-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download
memory/1544-3-0x0000000000000000-mapping.dmp

Download
memory/1544-4-0x0000000000000000-mapping.dmp

Download