bazarloader | 8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7

General

Target

subscription_1617218228.xlsb
Size

240KB
MD5

cc029b8675d3b262564d4d81c6008d5b
SHA1

8ff96b31ed0dc8689d868dcabc610aa3efbbe13c
SHA256

8c39b5dd896e4b7163f0c9f27b3ecde4435fa98666cd6e8e1f0a7df73ed757f7
SHA512

ab67497eb40b043ad18e6346eedbb906ce9411b660ae4ccb0b7939b891625fa324a0f505737251748ccc0874b85e0a6f453920d01d890e2e48f617821432ae61

Score

10^/10

bazarloader nloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Nloader
Simple loader that includes the keyword 'cambo' in the URL used to download other families.
loader nloader

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exerundll32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	3776	3116	cmd.exe	EXCEL.EXE
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2784	3116	rundll32.exe	EXCEL.EXE

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1792-19-0x00000268FAAE0000-0x00000268FAB14000-memory.dmp	BazarLoaderVar6
behavioral2/memory/2888-29-0x0000029255AD0000-0x0000029255B04000-memory.dmp	BazarLoaderVar6

Nloader Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3712-14-0x00000000004E0000-0x00000000004E5000-memory.dmp	nloader

Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

32 3712 rundll32.exe
33 3712 rundll32.exe
Executes dropped EXE 2 IoCs

Processes:

fjlq.exefjlq.exe

pid process

1792 fjlq.exe
2888 fjlq.exe

flow	pid	process
32	3712	rundll32.exe
33	3712	rundll32.exe

pid	process
1792	fjlq.exe
2888	fjlq.exe

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
129	ekasekyw.bazar
204	yggyavre.bazar
348	ygxiekom.bazar
288	ersiekyw.bazar
258	ywkyekvi.bazar
260	meixygvi.bazar
289	omsiekvi.bazar
290	omoxekre.bazar
309	requekvi.bazar
57	mexoekvi.bazar
132	soohygom.bazar
188	yzdiavom.bazar
212	ywanwyvi.bazar
277	ywxiavom.bazar
305	reanavyw.bazar
316	yzdiwyyw.bazar
338	onwoygyw.bazar
64	ekdiwyom.bazar
97	meoxavre.bazar
179	evsiekre.bazar
98	meleavre.bazar
232	regywyyw.bazar
306	udapwyyw.bazar
103	ekixavvi.bazar
164	omapwyre.bazar
333	vikyavre.bazar
238	soohygvi.bazar
244	ewquwyre.bazar
249	vixoygyw.bazar
144	evleekom.bazar
186	vikyekyw.bazar
213	yrgyygom.bazar
272	reezavre.bazar
121	wauxwyre.bazar
137	soraygyw.bazar
184	ywoxekre.bazar
203	eranekom.bazar
257	evwoygyw.bazar
293	waanavom.bazar
301	yrgyekre.bazar
324	ygezekom.bazar
118	ewqaekre.bazar
195	ygdiekom.bazar
200	wyxowyre.bazar
156	avwoygre.bazar
209	ygixygom.bazar
250	yroxygvi.bazar
274	viaswyvi.bazar
337	waoxygyw.bazar
345	wykyavom.bazar
125	yrapygvi.bazar
176	omxoekom.bazar
211	avquavom.bazar
357	ekraavvi.bazar
113	wywoekvi.bazar
120	avoxwyyw.bazar
167	udxiwyom.bazar
145	udezekvi.bazar
251	yrxowyyw.bazar
256	yrquekre.bazar
63	avrawyom.bazar
91	udixygom.bazar
92	ekapwyyw.bazar
190	ewdiekvi.bazar

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3712 rundll32.exe

pid	process
3712	rundll32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

3116 EXCEL.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE
3116	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

EXCEL.EXEcmd.exerundll32.exerundll32.exe

description	pid	process	target process
PID 3116 wrote to memory of 3776	3116	EXCEL.EXE	cmd.exe
PID 3116 wrote to memory of 3776	3116	EXCEL.EXE	cmd.exe
PID 3776 wrote to memory of 3952	3776	cmd.exe	certutil.exe
PID 3776 wrote to memory of 3952	3776	cmd.exe	certutil.exe
PID 3116 wrote to memory of 2784	3116	EXCEL.EXE	rundll32.exe
PID 3116 wrote to memory of 2784	3116	EXCEL.EXE	rundll32.exe
PID 2784 wrote to memory of 3712	2784	rundll32.exe	rundll32.exe
PID 2784 wrote to memory of 3712	2784	rundll32.exe	rundll32.exe
PID 2784 wrote to memory of 3712	2784	rundll32.exe	rundll32.exe
PID 3712 wrote to memory of 1792	3712	rundll32.exe	fjlq.exe
PID 3712 wrote to memory of 1792	3712	rundll32.exe	fjlq.exe

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\subscription_1617218228.xlsb"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\18482.bki %PUBLIC%\18482.xoq
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3776

C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\18482.bki C:\Users\Public\18482.xoq
3⤵
PID:3952

C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Public\18482.xoq,DF1
2⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\18482.xoq,DF1
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3712

C:\ProgramData\fjlq\fjlq.exe
"C:\ProgramData\fjlq\fjlq.exe"
4⤵
- Executes dropped EXE
PID:1792

C:\ProgramData\fjlq\fjlq.exe
C:\ProgramData\fjlq\fjlq.exe 1374627430
1⤵
- Executes dropped EXE
PID:2888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
C:\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
C:\ProgramData\fjlq\fjlq.exe
MD5
68defeb5cbf90fac11e4db64d2e39ab5

SHA1
cd440bd01a0448ebc123bdc5fefbfb77ddc0a095

SHA256
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67

SHA512
897d0291d2a632a02898be1ab74110d6e7973220f7668c64f5fd62b258a1c831df0be8d72efb647d2fd0c945c596d7e1dd6d89b0e0289ffdd38d101e4144d6af

Download Submit
C:\Users\Public\18482.bki
MD5
28d777c925eecd3dd03b7d342161e57b

SHA1
5530e73a70e4a6684f3dc726daf6b33b6809429d

SHA256
7b4bdba416484dd49f169cb8de35fbe94ec6924c298a333bf9297182d1a1bfc5

SHA512
d66fece28c293adcbef49d7043297480d21fe6fd607ca4d406da701a23b2c79047cbe58bf7daff293c000c9c04b777de1252637573ca74bef73934df82070f3c

Download Submit
C:\Users\Public\18482.xoq
MD5
21068adcd7b6662375e49d5892724292

SHA1
db01d964626ed80eab51e3705ca4cdf501a061ca

SHA256
00d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d

SHA512
46b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9

Download Submit
\Users\Public\18482.xoq
MD5
21068adcd7b6662375e49d5892724292

SHA1
db01d964626ed80eab51e3705ca4cdf501a061ca

SHA256
00d71bcfe0af23d653b79a363683e918cdc6bbc297c7b5e16890d4d4bc7a249d

SHA512
46b4bc1ffcff98ed602b6c4badb9d2b594361020051691f74a449943f7ddece419afd55e6a7626e5169d42a1f6ab5b73fd9ea6c11af4c086e9c1fbbd6b1b75a9

Download Submit
memory/1792-19-0x00000268FAAE0000-0x00000268FAB14000-memory.dmp

Filesize
208KB

Download
memory/1792-15-0x0000000000000000-mapping.dmp

Download
memory/2784-10-0x0000000000000000-mapping.dmp

Download
memory/2888-29-0x0000029255AD0000-0x0000029255B04000-memory.dmp

Filesize
208KB

Download
memory/3116-6-0x00007FF81FB20000-0x00007FF820157000-memory.dmp

Filesize
6.2MB

Download
memory/3116-2-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-5-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-4-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3116-3-0x00007FF7FC7D0000-0x00007FF7FC7E0000-memory.dmp

Filesize
64KB

Download
memory/3712-12-0x0000000000000000-mapping.dmp

Download
memory/3712-14-0x00000000004E0000-0x00000000004E5000-memory.dmp

Filesize
20KB

Download
memory/3776-7-0x0000000000000000-mapping.dmp

Download
memory/3952-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads