bazarloader | 93db19c454405ef70de2ead0a3b2158e0d8cc8c3bb663c3af15a0df1b008fc53

General

Target

12.0.dll
Size

37KB
MD5

af18cd9e59906e5c56bd5a07502b1f0b
SHA1

3bc5960b69cbd0266e66dfea9e6d9eb6365ae78a
SHA256

93db19c454405ef70de2ead0a3b2158e0d8cc8c3bb663c3af15a0df1b008fc53
SHA512

35e56125884be604b45d11fc318d022bbd021ff83f8cc41fe606d91eb8f6a4770e319ff92fc9ff0119c3bbc34557be0ac41f64d90538186852269efd54144281

Score

10^/10

bazarloader nloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3316-8-0x0000000180000000-0x0000000180024000-memory.dmp	BazarLoaderVar1

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/652-4-0x0000000010000000-0x000000001000C000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

8 652 rundll32.exe
13 652 rundll32.exe
Executes dropped EXE 4 IoCs

Processes:

lkag.exelkag.exeHZTCFA5.exeHZTCFA5.exe

pid process

3316 lkag.exe
1584 lkag.exe
3612 HZTCFA5.exe
3276 HZTCFA5.exe

flow	pid	process
8	652	rundll32.exe
13	652	rundll32.exe

pid	process
3316	lkag.exe
1584	lkag.exe
3612	HZTCFA5.exe
3276	HZTCFA5.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HZTCFA5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	HZTCFA5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\DJ1Z41273 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v XXGBWZFSP7 /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HZTCFA5.exe PKFXLK\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\HZTCFA5.exe PKFXLK"	HZTCFA5.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2324 PING.EXE
3392 PING.EXE
2332 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

lkag.exe

pid process

3316 lkag.exe
3316 lkag.exe

pid	process
2324	PING.EXE
3392	PING.EXE
2332	PING.EXE

pid	process
3316	lkag.exe
3316	lkag.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

rundll32.exerundll32.exelkag.execmd.exelkag.execmd.exeHZTCFA5.execmd.exe

description	pid	process	target process
PID 3636 wrote to memory of 652	3636	rundll32.exe	rundll32.exe
PID 3636 wrote to memory of 652	3636	rundll32.exe	rundll32.exe
PID 3636 wrote to memory of 652	3636	rundll32.exe	rundll32.exe
PID 652 wrote to memory of 3316	652	rundll32.exe	lkag.exe
PID 652 wrote to memory of 3316	652	rundll32.exe	lkag.exe
PID 3316 wrote to memory of 3012	3316	lkag.exe	cmd.exe
PID 3316 wrote to memory of 3012	3316	lkag.exe	cmd.exe
PID 3012 wrote to memory of 2324	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 2324	3012	cmd.exe	PING.EXE
PID 3012 wrote to memory of 1584	3012	cmd.exe	lkag.exe
PID 3012 wrote to memory of 1584	3012	cmd.exe	lkag.exe
PID 1584 wrote to memory of 1924	1584	lkag.exe	cmd.exe
PID 1584 wrote to memory of 1924	1584	lkag.exe	cmd.exe
PID 1924 wrote to memory of 3392	1924	cmd.exe	PING.EXE
PID 1924 wrote to memory of 3392	1924	cmd.exe	PING.EXE
PID 1924 wrote to memory of 3612	1924	cmd.exe	HZTCFA5.exe
PID 1924 wrote to memory of 3612	1924	cmd.exe	HZTCFA5.exe
PID 3612 wrote to memory of 908	3612	HZTCFA5.exe	cmd.exe
PID 3612 wrote to memory of 908	3612	HZTCFA5.exe	cmd.exe
PID 908 wrote to memory of 2332	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 2332	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 3276	908	cmd.exe	HZTCFA5.exe
PID 908 wrote to memory of 3276	908	cmd.exe	HZTCFA5.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12.0.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\12.0.dll,#1
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:652

C:\ProgramData\lkag\lkag.exe
"C:\ProgramData\lkag\lkag.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\ProgramData\lkag\lkag.exe FJFTZ
4⤵
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
5⤵
- Runs ping.exe
PID:2324

C:\ProgramData\lkag\lkag.exe
C:\ProgramData\lkag\lkag.exe FJFTZ
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe ROU5
6⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
7⤵
- Runs ping.exe
PID:3392

C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe
C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe ROU5
7⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3612

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe PKFXLK
8⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\system32\PING.EXE
ping 8.8.7.7 -n 2
9⤵
- Runs ping.exe
PID:2332

C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe
C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe PKFXLK
9⤵
- Executes dropped EXE
PID:3276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lkag\lkag.exe

MD5
5ab10b180aca215ff3af5ec0e0e00b87

SHA1
932b0935d0b03dba5d12ddc85aef878e20986f47

SHA256
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

SHA512
5cebd2e450f010816f1d6b009e3a3426692fd164cd80f4cd636e983df1e8f9f14eb1dd19c1e9905b9689fd4e3878fac3213dd873c28d906bae5241734f50f58e

Download Submit
C:\ProgramData\lkag\lkag.exe

MD5
5ab10b180aca215ff3af5ec0e0e00b87

SHA1
932b0935d0b03dba5d12ddc85aef878e20986f47

SHA256
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

SHA512
5cebd2e450f010816f1d6b009e3a3426692fd164cd80f4cd636e983df1e8f9f14eb1dd19c1e9905b9689fd4e3878fac3213dd873c28d906bae5241734f50f58e

Download Submit
C:\ProgramData\lkag\lkag.exe

MD5
5ab10b180aca215ff3af5ec0e0e00b87

SHA1
932b0935d0b03dba5d12ddc85aef878e20986f47

SHA256
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

SHA512
5cebd2e450f010816f1d6b009e3a3426692fd164cd80f4cd636e983df1e8f9f14eb1dd19c1e9905b9689fd4e3878fac3213dd873c28d906bae5241734f50f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe

MD5
5ab10b180aca215ff3af5ec0e0e00b87

SHA1
932b0935d0b03dba5d12ddc85aef878e20986f47

SHA256
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

SHA512
5cebd2e450f010816f1d6b009e3a3426692fd164cd80f4cd636e983df1e8f9f14eb1dd19c1e9905b9689fd4e3878fac3213dd873c28d906bae5241734f50f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe

MD5
5ab10b180aca215ff3af5ec0e0e00b87

SHA1
932b0935d0b03dba5d12ddc85aef878e20986f47

SHA256
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

SHA512
5cebd2e450f010816f1d6b009e3a3426692fd164cd80f4cd636e983df1e8f9f14eb1dd19c1e9905b9689fd4e3878fac3213dd873c28d906bae5241734f50f58e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZTCFA5.exe

MD5
5ab10b180aca215ff3af5ec0e0e00b87

SHA1
932b0935d0b03dba5d12ddc85aef878e20986f47

SHA256
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

SHA512
5cebd2e450f010816f1d6b009e3a3426692fd164cd80f4cd636e983df1e8f9f14eb1dd19c1e9905b9689fd4e3878fac3213dd873c28d906bae5241734f50f58e

Download Submit
memory/652-4-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/652-2-0x0000000000000000-mapping.dmp

Download
memory/652-3-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/908-20-0x0000000000000000-mapping.dmp

Download
memory/1584-11-0x0000000000000000-mapping.dmp

Download
memory/1924-14-0x0000000000000000-mapping.dmp

Download
memory/2324-10-0x0000000000000000-mapping.dmp

Download
memory/2332-21-0x0000000000000000-mapping.dmp

Download
memory/3012-9-0x0000000000000000-mapping.dmp

Download
memory/3276-22-0x0000000000000000-mapping.dmp

Download
memory/3316-5-0x0000000000000000-mapping.dmp

Download
memory/3316-8-0x0000000180000000-0x0000000180024000-memory.dmp

Filesize
144KB

Download
memory/3392-15-0x0000000000000000-mapping.dmp

Download
memory/3612-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads