bazarloader | fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f

Analysis

Target

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
Size

365KB
MD5

157e256ee99b5ae2eb0b4663ea3bd3ca
SHA1

11b315dab07ab1398962596770d9d26e46770f6a
SHA256

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f
SHA512

1bad7c718c09082853559cac0863a63ae6a8ffb37ae2a31435ed603487f2197384b8ab8c055208d7f58716c3f6cd4942d0d4c0bae1673023cbf18fd49cbe1708

Score

10^/10

Bazar Loader 12 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

Processes:

fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe

description	flow	ioc
HTTP URL	16	https://37.220.6.126/api/v138
HTTP URL	4	https://82.146.37.128/api/v138
HTTP URL	9	https://85.143.221.85/api/v138
HTTP URL	11	https://85.143.221.85/api/v138
HTTP URL	13	https://195.123.241.194/api/v138
HTTP URL	14	https://195.123.241.194/api/v138
HTTP URL	15	https://37.220.6.126/api/v138
Key created	\REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\SystemCertificates\My	fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
HTTP URL	7	https://82.146.37.128/api/v138
HTTP URL	8	https://82.146.37.128/api/v138
HTTP URL	10	https://85.143.221.85/api/v138
HTTP URL	12	https://195.123.241.194/api/v138

Tries to connect to .bazar domain 11 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

C:\Users\Admin\AppData\Local\Temp\fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe
"C:\Users\Admin\AppData\Local\Temp\fabbde554c34e111a975534b714cec911f558ca30f9a4057ebdc25314b3a270f.exe"
1⤵
- Bazar Loader
PID:1452

memory/1452-0-0x00000000005A0000-0x00000000005BF000-memory.dmp

Filesize
124KB

Download
memory/1452-1-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download