bazarloader | 65b652b99cd7ed6bd82bd0f258b03a483e0da9f3314b67fe9728eca76c3d59a2 | Triage

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
01-04-2021 03:26

Sharing

Report Analysis Logs

General

Target

61968c8debeae1e415a485c0b4d79b46.exe
Size

285KB
MD5

61968c8debeae1e415a485c0b4d79b46
SHA1

59dd3058a18f6fe59a3951c6f119aaf89d52e30f
SHA256

65b652b99cd7ed6bd82bd0f258b03a483e0da9f3314b67fe9728eca76c3d59a2
SHA512

15ceac84b2a148eab343f2b7efdee863cf1d97c623592e52c02772d3e498e4c3fae4d8432c21a86dfa66c122e783d71e833218483e05e06016da56432434863e

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/496-3-0x0000000180000000-0x0000000180035000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
426	udguekvi.bazar
370	meveygre.bazar
365	ywuwekyw.bazar
234	evpaavom.bazar
298	waunekre.bazar
376	eksyekvi.bazar
61	meqywyvi.bazar
66	reovavvi.bazar
351	meuwwyre.bazar
280	meovavyw.bazar
397	ewuwwyre.bazar
108	ygguygom.bazar
197	yzuwavom.bazar
272	sovyekyw.bazar
452	udovygyw.bazar
288	yzheekre.bazar
93	avuwavvi.bazar
139	ywumwyvi.bazar
201	meynwyvi.bazar
245	toziavre.bazar
443	reumekre.bazar
113	ekynygvi.bazar
124	wyunwyom.bazar
146	meunavre.bazar
170	omsyavre.bazar
430	wyutwyyw.bazar
43	ersyygyw.bazar
72	eksyygvi.bazar
143	omunygvi.bazar
48	udynygvi.bazar
161	yruwavre.bazar
202	yrvyavom.bazar
211	avguekre.bazar
333	yrpawyom.bazar
357	onvewyom.bazar
215	yrumygom.bazar
227	sosuygyw.bazar
262	yrdyekre.bazar
110	ygvyekyw.bazar
299	viqiavre.bazar
407	ywunekom.bazar
164	viguekvi.bazar
328	viguekom.bazar
363	avguavyw.bazar
83	yrsuwyre.bazar
105	ekguwyre.bazar
320	onhewyyw.bazar
58	wasuavvi.bazar
361	tounwyre.bazar
86	onutekyw.bazar
115	waxyekvi.bazar
237	yzumwyvi.bazar
422	erumwyom.bazar
27	vacationinsydney.bazar
38	ekunwyyw.bazar
259	ygovekre.bazar
414	erqiygyw.bazar
69	soveavom.bazar
222	evsuavyw.bazar
303	ewguekom.bazar
219	reovavre.bazar
31	sydneynewtours.bazar
103	omheygvi.bazar
216	yrovwyre.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 20 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

C:\Users\Admin\AppData\Local\Temp\61968c8debeae1e415a485c0b4d79b46.exe
"C:\Users\Admin\AppData\Local\Temp\61968c8debeae1e415a485c0b4d79b46.exe"
1⤵
PID:496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/496-2-0x00007FF65DED0000-0x00007FF65DF1A000-memory.dmp

Filesize
296KB

Download
memory/496-3-0x0000000180000000-0x0000000180035000-memory.dmp

Filesize
212KB

Download