bazarloader | 258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

General

Target

81e6dcf2510ffc2400743e912448013f.exe
Size

316KB
MD5

81e6dcf2510ffc2400743e912448013f
SHA1

b1b29fff6348b805851513ce8812990a2f5a4e39
SHA256

258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4
SHA512

f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/776-2-0x0000000001C70000-0x0000000001C95000-memory.dmp	BazarLoaderVar1
behavioral1/memory/776-3-0x0000000001CA0000-0x0000000001CC3000-memory.dmp	BazarLoaderVar1
behavioral1/memory/776-4-0x0000000000300000-0x0000000000322000-memory.dmp	BazarLoaderVar1
behavioral1/memory/428-10-0x0000000000470000-0x0000000000493000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1676-19-0x0000000000450000-0x0000000000473000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1064-28-0x00000000004E0000-0x0000000000503000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

CPP16EA.exeCPP16EA.exe

pid process

1676 CPP16EA.exe
1064 CPP16EA.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

668 cmd.exe
720 cmd.exe

pid	process
1676	CPP16EA.exe
1064	CPP16EA.exe

pid	process
668	cmd.exe
720	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CPP16EA.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MK90GJVY4Y = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v WYILGH4LL /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CPP16EA.exe O3PAB\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\CPP16EA.exe O3PAB"	CPP16EA.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1348 PING.EXE
1512 PING.EXE
672 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

81e6dcf2510ffc2400743e912448013f.exe

pid process

776 81e6dcf2510ffc2400743e912448013f.exe

pid	process
1348	PING.EXE
1512	PING.EXE
672	PING.EXE

pid	process
776	81e6dcf2510ffc2400743e912448013f.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

81e6dcf2510ffc2400743e912448013f.execmd.exe81e6dcf2510ffc2400743e912448013f.execmd.exeCPP16EA.execmd.exe

description	pid	process	target process
PID 776 wrote to memory of 896	776	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 776 wrote to memory of 896	776	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 776 wrote to memory of 896	776	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 896 wrote to memory of 1348	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 1348	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 1348	896	cmd.exe	PING.EXE
PID 896 wrote to memory of 428	896	cmd.exe	81e6dcf2510ffc2400743e912448013f.exe
PID 896 wrote to memory of 428	896	cmd.exe	81e6dcf2510ffc2400743e912448013f.exe
PID 896 wrote to memory of 428	896	cmd.exe	81e6dcf2510ffc2400743e912448013f.exe
PID 428 wrote to memory of 668	428	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 428 wrote to memory of 668	428	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 428 wrote to memory of 668	428	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 668 wrote to memory of 1512	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 1512	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 1512	668	cmd.exe	PING.EXE
PID 668 wrote to memory of 1676	668	cmd.exe	CPP16EA.exe
PID 668 wrote to memory of 1676	668	cmd.exe	CPP16EA.exe
PID 668 wrote to memory of 1676	668	cmd.exe	CPP16EA.exe
PID 1676 wrote to memory of 720	1676	CPP16EA.exe	cmd.exe
PID 1676 wrote to memory of 720	1676	CPP16EA.exe	cmd.exe
PID 1676 wrote to memory of 720	1676	CPP16EA.exe	cmd.exe
PID 720 wrote to memory of 672	720	cmd.exe	PING.EXE
PID 720 wrote to memory of 672	720	cmd.exe	PING.EXE
PID 720 wrote to memory of 672	720	cmd.exe	PING.EXE
PID 720 wrote to memory of 1064	720	cmd.exe	CPP16EA.exe
PID 720 wrote to memory of 1064	720	cmd.exe	CPP16EA.exe
PID 720 wrote to memory of 1064	720	cmd.exe	CPP16EA.exe

C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
"C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\system32\cmd.exe
  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe QB2KET
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\PING.EXE
    ping 8.8.7.7 -n 2
    3⤵
    - Runs ping.exe
    PID:1348
- - C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
    C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe QB2KET
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe MEW1DLD
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        5⤵
        Runs ping.exe
        
        PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe
        
        C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe MEW1DLD
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\system32\cmd.exe
        
        cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\cPP16EA.exe O3PAB
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        7⤵
        Runs ping.exe
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe
        
        C:\Users\Admin\AppData\Local\Temp\cPP16EA.exe O3PAB
        7⤵
        Executes dropped EXE
        
        PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
accc49f7099fd361a77fd25f831c08ae

SHA1
e3e96a8a565d1ea8292572847f35337afabd120f

SHA256
9c149639a734c90a23abfada4ab7ca3341344771614e5f235d3ed6b42b4066b7

SHA512
caef30d885d80a2baf48db2a78f88d27557f1e24033cd5bd9e83bb12bfcd11d0b08ad0c03f6fd682868d3d6a58d751dc2a8d538bee0cdca613ce309242d3a976

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
df9ec0051364274c6dca48f69763a91e

SHA1
2f42017aa94a88551973cac5060f5fb7f8b35ae1

SHA256
38a3a1b127e58543629dfec638f02e120efd629bde14392795fa542cf2e945a9

SHA512
6641a7db43f159a0e7a5a34e0ed83b0f2ead4c5be7f8f3c17d252cd39b005a62ecfe9115b272c1e70cf52cb03b848edd987483eb4ee80b4a1670a5658a81e0d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
9b06f0f2d50a89364919cd8b0ea6a0d4

SHA1
70af8fd71b33a8c87e89b9de16dcf955099debd3

SHA256
0c5f5569de1d3420e35dbe629ee55081ad7e2db5455906f49563c1ef5c74559e

SHA512
3679db0fbeb701c6b3ab04aa9910d09c2d9bb8410b08870f71e1e873c08b69c4846e041b9ac80ea84f4dbc0f5155f671a8efec39b3224c1e702d8d4e10ad8166

Download Submit
\Users\Admin\AppData\Local\Temp\CPP16EA.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
\Users\Admin\AppData\Local\Temp\CPP16EA.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
memory/428-7-0x0000000000000000-mapping.dmp

Download
memory/428-10-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/668-12-0x0000000000000000-mapping.dmp

Download
memory/672-22-0x0000000000000000-mapping.dmp

Download
memory/720-21-0x0000000000000000-mapping.dmp

Download
memory/776-3-0x0000000001CA0000-0x0000000001CC3000-memory.dmp

Filesize
140KB

Download
memory/776-2-0x0000000001C70000-0x0000000001C95000-memory.dmp

Filesize
148KB

Download
memory/776-4-0x0000000000300000-0x0000000000322000-memory.dmp

Filesize
136KB

Download
memory/896-5-0x0000000000000000-mapping.dmp

Download
memory/1064-24-0x0000000000000000-mapping.dmp

Download
memory/1064-28-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/1348-6-0x0000000000000000-mapping.dmp

Download
memory/1512-13-0x0000000000000000-mapping.dmp

Download
memory/1676-19-0x0000000000450000-0x0000000000473000-memory.dmp

Filesize
140KB

Download
memory/1676-15-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads