bazarloader | e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e

General

Target

e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
Size

379KB
MD5

9f00d78f2e8e4523773a264f85be1c02
SHA1

3c542144a7a03134060bd666206a106bcea95e5a
SHA256

e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e
SHA512

5760967703d0702d4c855b75c895a2432c809ca8f945f2a80914f21b3c8129c4bbf155bac4bb5fa6b03e868b3d33cfbe1b3321a7b438741cd62d1c3323d38928

Score

10^/10

persistence loader dropper bazarloader backdoor bazarbackdoor

Malware Config

Signatures

Bazar Loader 14 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

Processes:

svchost.exe

description	flow	ioc
HTTP User-Agent header	11	Win
HTTP User-Agent header	16	Win
HTTP URL	8	https://82.146.37.128/api/v153
HTTP User-Agent header	8	Win
HTTP URL	11	https://82.146.37.128/api/v154
HTTP User-Agent header	12	Win
HTTP URL	14	https://82.146.37.128/api/v156
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe
HTTP URL	13	https://82.146.37.128/api/v154
HTTP User-Agent header	13	Win
HTTP User-Agent header	15	Win
HTTP User-Agent header	17	Win
HTTP URL	12	https://82.146.37.128/api/v154
HTTP User-Agent header	14	Win

BazarBackdoor
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
backdoor bazarbackdoor
Executes dropped EXE 1 IoCs

Processes:

arfgdcubgo.exe

pid process

2716 arfgdcubgo.exe

pid	process
2716	arfgdcubgo.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Skype Remote Control = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe"	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

arfgdcubgo.exe

description pid process target process

PID 2716 set thread context of 3364 2716 arfgdcubgo.exe explorer.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1904 timeout.exe

description	pid	process	target process
PID 2716 set thread context of 3364	2716	arfgdcubgo.exe	explorer.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat	svchost.exe

pid	process
1904	timeout.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 252c80be4f87d601	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0"	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeShutdownPrivilege 2992 svchost.exe
Token: SeCreatePagefilePrivilege 2992 svchost.exe

description	pid	process
Token: SeShutdownPrivilege	2992	svchost.exe
Token: SeCreatePagefilePrivilege	2992	svchost.exe

Suspicious use of WriteProcessMemory 827 IoCs

Processes:

e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.execmd.exearfgdcubgo.exe

description	pid	process	target process
PID 3024 wrote to memory of 1612	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	cmd.exe
PID 3024 wrote to memory of 1612	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	cmd.exe
PID 1612 wrote to memory of 1904	1612	cmd.exe	timeout.exe
PID 1612 wrote to memory of 1904	1612	cmd.exe	timeout.exe
PID 3024 wrote to memory of 2716	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	arfgdcubgo.exe
PID 3024 wrote to memory of 2716	3024	e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe	arfgdcubgo.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe
PID 2716 wrote to memory of 3364	2716	arfgdcubgo.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe
"C:\Users\Admin\AppData\Local\Temp\e390ab08f852845fccc07d234a96f51fcb23a95a4fa872a22b48afa0cbb0941e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SYSTEM32\cmd.exe
cmd /c TIMEOUT /T 50 /NOBREAK && move "C:\Users\Admin\AppData\Local\Temp\dhcftxghsh" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Control Panel.lnk"
2⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\system32\timeout.exe
TIMEOUT /T 50 /NOBREAK
3⤵
- Delays execution with timeout.exe
PID:1904

C:\Users\Admin\AppData\Local\Temp\arfgdcubgo.exe
C:\Users\Admin\AppData\Local\Temp\arfgdcubgo.exe /NO_AUTOSTART 82.146.37.128
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
- Bazar Loader
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\arfgdcubgo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\arfgdcubgo.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhcftxghsh

Download Submit
memory/1612-3-0x0000000000000000-mapping.dmp

Download
memory/1904-5-0x0000000000000000-mapping.dmp

Download
memory/2716-14-0x0000000000000000-mapping.dmp

Download
memory/3024-0-0x00000000022E0000-0x0000000002313000-memory.dmp

Filesize
204KB

Download
memory/3024-1-0x0000000002320000-0x0000000002352000-memory.dmp

Filesize
200KB

Download
memory/3364-17-0x00007FF659960000-0x00007FF659A1D000-memory.dmp

Filesize
756KB

Download
memory/3364-18-0x00007FF6599FB824-mapping.dmp

Download
memory/3364-19-0x00007FF659960000-0x00007FF659A1D000-memory.dmp

Filesize
756KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads