bazarloader | 258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

General

Target

81e6dcf2510ffc2400743e912448013f.exe
Size

316KB
MD5

81e6dcf2510ffc2400743e912448013f
SHA1

b1b29fff6348b805851513ce8812990a2f5a4e39
SHA256

258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4
SHA512

f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

resource	yara_rule
behavioral1/memory/776-2-0x0000000001C70000-0x0000000001C95000-memory.dmp	BazarLoaderVar1
behavioral1/memory/776-3-0x0000000001CA0000-0x0000000001CC3000-memory.dmp	BazarLoaderVar1
behavioral1/memory/776-4-0x0000000000300000-0x0000000000322000-memory.dmp	BazarLoaderVar1
behavioral1/memory/428-10-0x0000000000470000-0x0000000000493000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1676-19-0x0000000000450000-0x0000000000473000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1064-28-0x00000000004E0000-0x0000000000503000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

pid	Process
1676	CPP16EA.exe
1064	CPP16EA.exe

Loads dropped DLL 2 IoCs

pid	Process
668	cmd.exe
720	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\MK90GJVY4Y = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v WYILGH4LL /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CPP16EA.exe O3PAB\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\CPP16EA.exe O3PAB"	CPP16EA.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1348	PING.EXE
1512	PING.EXE
672	PING.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
776	81e6dcf2510ffc2400743e912448013f.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 776 wrote to memory of 896	776	81e6dcf2510ffc2400743e912448013f.exe	29
PID 776 wrote to memory of 896	776	81e6dcf2510ffc2400743e912448013f.exe	29
PID 776 wrote to memory of 896	776	81e6dcf2510ffc2400743e912448013f.exe	29
PID 896 wrote to memory of 1348	896	cmd.exe	31
PID 896 wrote to memory of 1348	896	cmd.exe	31
PID 896 wrote to memory of 1348	896	cmd.exe	31
PID 896 wrote to memory of 428	896	cmd.exe	32
PID 896 wrote to memory of 428	896	cmd.exe	32
PID 896 wrote to memory of 428	896	cmd.exe	32
PID 428 wrote to memory of 668	428	81e6dcf2510ffc2400743e912448013f.exe	33
PID 428 wrote to memory of 668	428	81e6dcf2510ffc2400743e912448013f.exe	33
PID 428 wrote to memory of 668	428	81e6dcf2510ffc2400743e912448013f.exe	33
PID 668 wrote to memory of 1512	668	cmd.exe	35
PID 668 wrote to memory of 1512	668	cmd.exe	35
PID 668 wrote to memory of 1512	668	cmd.exe	35
PID 668 wrote to memory of 1676	668	cmd.exe	36
PID 668 wrote to memory of 1676	668	cmd.exe	36
PID 668 wrote to memory of 1676	668	cmd.exe	36
PID 1676 wrote to memory of 720	1676	CPP16EA.exe	37
PID 1676 wrote to memory of 720	1676	CPP16EA.exe	37
PID 1676 wrote to memory of 720	1676	CPP16EA.exe	37
PID 720 wrote to memory of 672	720	cmd.exe	39
PID 720 wrote to memory of 672	720	cmd.exe	39
PID 720 wrote to memory of 672	720	cmd.exe	39
PID 720 wrote to memory of 1064	720	cmd.exe	40
PID 720 wrote to memory of 1064	720	cmd.exe	40
PID 720 wrote to memory of 1064	720	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
"C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:776
- C:\Windows\system32\cmd.exe
  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe QB2KET
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\PING.EXE
    ping 8.8.7.7 -n 2
    3⤵
    - Runs ping.exe
    PID:1348
- - C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
    C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe QB2KET
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe MEW1DLD
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        5⤵
        Runs ping.exe
        
        PID:1512
    - - C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe
        
        C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe MEW1DLD
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Windows\system32\cmd.exe
        
        cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\cPP16EA.exe O3PAB
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        7⤵
        Runs ping.exe
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\CPP16EA.exe
        
        C:\Users\Admin\AppData\Local\Temp\cPP16EA.exe O3PAB
        7⤵
        Executes dropped EXE
        
        PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-10-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/776-3-0x0000000001CA0000-0x0000000001CC3000-memory.dmp

Filesize
140KB

Download
memory/776-2-0x0000000001C70000-0x0000000001C95000-memory.dmp

Filesize
148KB

Download
memory/776-4-0x0000000000300000-0x0000000000322000-memory.dmp

Filesize
136KB

Download
memory/1064-28-0x00000000004E0000-0x0000000000503000-memory.dmp

Filesize
140KB

Download
memory/1676-19-0x0000000000450000-0x0000000000473000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing