bazarloader | 1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2 | Triage

Analysis

max time kernel
150s
max time network
157s
platform
windows7_x64
resource
win7
submitted
10-09-2020 08:49

Sharing

Report Analysis Logs

General

Target

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
Size

332KB
MD5

a41429f7dbecfb76e6b7534afbeb4f74
SHA1

68f48d169b4f62189b3e43c3615aa7e4314e9459
SHA256

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2
SHA512

6957ba5090a5e36feec28fb5d4abeab7ec068ceb212bc7b3f2a10ac568f80b4a925e5d9b0815fc9e936897924c51d9c51fa1af35da508b2d6e0a179c26797bf6

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader 4 IoCs

Detected loader normally used to deploy BazarBackdoor malware.

loader dropper bazarloader

Processes:

1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe

description	flow	ioc
HTTP URL	4	https://164.132.76.76/api/v138
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\SystemCertificates\My	1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
HTTP URL	7	https://164.132.76.76/api/v138
HTTP URL	8	https://164.132.76.76/api/v138

Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

description flow ioc

HTTP URL 4 https://164.132.76.76/api/v138
HTTP URL 7 https://164.132.76.76/api/v138
HTTP URL 8 https://164.132.76.76/api/v138

C:\Users\Admin\AppData\Local\Temp\1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe
"C:\Users\Admin\AppData\Local\Temp\1ae793fb1d53cf5b1b393c348592220eec76d6def504dcb09f4686920d2e28d2.exe"
1⤵
- Bazar Loader
PID:1088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-0-0x0000000000460000-0x0000000000487000-memory.dmp

Filesize
156KB

Download
memory/1088-1-0x0000000180000000-0x000000018002A000-memory.dmp

Filesize
168KB

Download