bazarloader | 8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7

General

Target

subscription_1617218228.xlsb
Size

240KB
MD5

cc029b8675d3b262564d4d81c6008d5b
SHA1

8ff96b31ed0dc8689d868dcabc610aa3efbbe13c
SHA256

8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7
SHA512

ab67497eb40b043ad18e6346eedbb906ce9411b660ae4ccb0b7939b891625fa324a0f505737251748ccc0874b85e0a6f453920d01d890e2e48f617821432ae61

Score

10^/10

bazarloader nloader dropper loader

Malware Config

Extracted

Language

xlm4.0

Source

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	864	1832	cmd.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1260	1832	rundll32.exe	EXCEL.EXE

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1920-19-0x0000000000230000-0x0000000000264000-memory.dmp	BazarLoaderVar6
behavioral1/memory/292-23-0x0000000000240000-0x0000000000274000-memory.dmp	BazarLoaderVar6

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1260-14-0x00000000001A0000-0x00000000001A5000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

5 1260 rundll32.exe
6 1260 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

fjlq.exefjlq.exe

pid process

1920 fjlq.exe
292 fjlq.exe

flow	pid	process
5	1260	rundll32.exe
6	1260	rundll32.exe

pid	process
1920	fjlq.exe
292	fjlq.exe

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
103	omaswyom.bazar
109	meoxwyyw.bazar
110	reuxwyre.bazar
116	mekyygom.bazar
86	vidiekre.bazar
34	evoxygom.bazar
63	meezwyom.bazar
91	ywkyavre.bazar
117	ewezygom.bazar
25	bestsightsofwildaustralia.bazar
96	meqaekre.bazar
100	mequygom.bazar
68	ygixwyom.bazar
101	sosiygvi.bazar
123	tosiwyyw.bazar
133	waanygyw.bazar
53	toxiwyom.bazar
41	udxoekvi.bazar
44	avxowyre.bazar
47	avqaekvi.bazar
65	onasekvi.bazar
87	avixavvi.bazar
24	vacationinsydney2021.bazar
46	reqaavyw.bazar
83	udaswyom.bazar
89	onqaekom.bazar
112	onasavyw.bazar
36	udsiavyw.bazar
81	toasavyw.bazar
105	reohavvi.bazar
125	wawoygyw.bazar
72	yzdiygvi.bazar
104	ywxiavyw.bazar
79	ywqaekyw.bazar
90	viasavom.bazar
126	ywqaavvi.bazar
128	evasekre.bazar
137	ekraavre.bazar
38	yrquavom.bazar
49	reoxwyre.bazar
51	udraekom.bazar
74	onrawyvi.bazar
94	measygom.bazar
30	eksiekom.bazar
48	reoxwyre.bazar
58	ewxiygom.bazar
32	ekquwyyw.bazar
52	ewuxekom.bazar
59	vixiavyw.bazar
84	udgywyre.bazar
136	omxoygvi.bazar
42	ewwoekyw.bazar
29	udohygyw.bazar
106	eksiwyyw.bazar
113	sowoekyw.bazar
114	avgywyvi.bazar
27	avgyygre.bazar
66	avgywyom.bazar
118	toohavyw.bazar
60	ekixekre.bazar
62	yzxoekyw.bazar
92	evquekyw.bazar
121	ywixekyw.bazar
135	soraavvi.bazar

Loads dropped DLL 4 IoCs

Processes:

rundll32.exe

pid process

1260 rundll32.exe
1260 rundll32.exe
1260 rundll32.exe
876
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 19 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1260	rundll32.exe
1260	rundll32.exe
1260	rundll32.exe
876

description	flow	ioc
HTTP URL	19	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

fjlq.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	fjlq.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	fjlq.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1832 EXCEL.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

EXCEL.EXE

pid process

1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE
1832 EXCEL.EXE

pid	process
1832	EXCEL.EXE

pid	process
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE
1832	EXCEL.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exe

description	pid	process	target process
PID 1832 wrote to memory of 864	1832	EXCEL.EXE	cmd.exe
PID 1832 wrote to memory of 864	1832	EXCEL.EXE	cmd.exe
PID 1832 wrote to memory of 864	1832	EXCEL.EXE	cmd.exe
PID 1832 wrote to memory of 864	1832	EXCEL.EXE	cmd.exe
PID 864 wrote to memory of 1092	864	cmd.exe	certutil.exe
PID 864 wrote to memory of 1092	864	cmd.exe	certutil.exe
PID 864 wrote to memory of 1092	864	cmd.exe	certutil.exe
PID 864 wrote to memory of 1092	864	cmd.exe	certutil.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1832 wrote to memory of 1260	1832	EXCEL.EXE	rundll32.exe
PID 1260 wrote to memory of 1920	1260	rundll32.exe	fjlq.exe
PID 1260 wrote to memory of 1920	1260	rundll32.exe	fjlq.exe
PID 1260 wrote to memory of 1920	1260	rundll32.exe	fjlq.exe
PID 1260 wrote to memory of 1920	1260	rundll32.exe	fjlq.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\subscription_1617218228.xlsb
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\18482.bki %PUBLIC%\18482.xoq
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\18482.bki C:\Users\Public\18482.xoq
3⤵
PID:1092

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\18482.xoq,DF1
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\ProgramData\fjlq\fjlq.exe
"C:\ProgramData\fjlq\fjlq.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1920

C:\ProgramData\fjlq\fjlq.exe
C:\ProgramData\fjlq\fjlq.exe 948774654
1⤵
- Executes dropped EXE
PID:292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Install Root Certificate

1

T1130

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
C:\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
C:\Users\Public\18482.bki
MD5
28d777c925eecd3dd03b7d342161e57b

SHA1
5530e73a70e4a6684f3dc726daf6b33b6809429d

SHA256
7b4bdba416484dd49f169cb8de35fbe94ec6924c298a333bf9297182d1a1bfc5

SHA512
d66fece28c293adcbef49d7043297480d21fe6fd607ca4d406da701a23b2c79047cbe58bf7daff293c000c9c04b777de1252637573ca74bef73934df82070f3c

Download Submit
C:\Users\Public\18482.xoq
MD5
21068adcd7b6662375e49d5892724292

SHA1
db01d964626ed80eab51e3705ca4cdf501a061ca

SHA256
00d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d

SHA512
46b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9

Download Submit
\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
\Users\Public\18482.xoq
MD5
21068adcd7b6662375e49d5892724292

SHA1
db01d964626ed80eab51e3705ca4cdf501a061ca

SHA256
00d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d

SHA512
46b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9

Download Submit
memory/292-23-0x0000000000240000-0x0000000000274000-memory.dmp

Filesize
208KB

Download
memory/524-5-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmp

Filesize
2.5MB

Download
memory/864-6-0x0000000000000000-mapping.dmp

Download
memory/1092-8-0x0000000076371000-0x0000000076373000-memory.dmp

Filesize
8KB

Download
memory/1092-7-0x0000000000000000-mapping.dmp

Download
memory/1260-14-0x00000000001A0000-0x00000000001A5000-memory.dmp

Filesize
20KB

Download
memory/1260-10-0x0000000000000000-mapping.dmp

Download
memory/1832-4-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1832-2-0x000000002FCA1000-0x000000002FCA4000-memory.dmp

Filesize
12KB

Download
memory/1832-3-0x00000000717F1000-0x00000000717F3000-memory.dmp

Filesize
8KB

Download
memory/1920-17-0x0000000000000000-mapping.dmp

Download
memory/1920-20-0x000007FEFBF41000-0x000007FEFBF43000-memory.dmp

Filesize
8KB

Download
memory/1920-19-0x0000000000230000-0x0000000000264000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads