bazarloader | 258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

General

Target

81e6dcf2510ffc2400743e912448013f.exe
Size

316KB
MD5

81e6dcf2510ffc2400743e912448013f
SHA1

b1b29fff6348b805851513ce8812990a2f5a4e39
SHA256

258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4
SHA512

f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

resource	yara_rule
behavioral2/memory/4768-2-0x0000000000400000-0x0000000000425000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4768-3-0x0000000000430000-0x0000000000453000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4768-4-0x00000000001B0000-0x00000000001D2000-memory.dmp	BazarLoaderVar1
behavioral2/memory/1608-27-0x0000000001FF0000-0x0000000002013000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

pid	Process
1128	RKC7204.exe
1608	RKC7204.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\D51AM76CR = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v B5CUQFXB6P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RKC7204.exe JU0NGE\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\RKC7204.exe JU0NGE"	RKC7204.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RKC7204.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1544	PING.EXE
4320	PING.EXE
840	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4768	81e6dcf2510ffc2400743e912448013f.exe
4768	81e6dcf2510ffc2400743e912448013f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 4200	4768	81e6dcf2510ffc2400743e912448013f.exe	78
PID 4768 wrote to memory of 4200	4768	81e6dcf2510ffc2400743e912448013f.exe	78
PID 4200 wrote to memory of 4320	4200	cmd.exe	80
PID 4200 wrote to memory of 4320	4200	cmd.exe	80
PID 4200 wrote to memory of 528	4200	cmd.exe	81
PID 4200 wrote to memory of 528	4200	cmd.exe	81
PID 528 wrote to memory of 880	528	81e6dcf2510ffc2400743e912448013f.exe	82
PID 528 wrote to memory of 880	528	81e6dcf2510ffc2400743e912448013f.exe	82
PID 880 wrote to memory of 840	880	cmd.exe	84
PID 880 wrote to memory of 840	880	cmd.exe	84
PID 880 wrote to memory of 1128	880	cmd.exe	85
PID 880 wrote to memory of 1128	880	cmd.exe	85
PID 1128 wrote to memory of 1316	1128	RKC7204.exe	86
PID 1128 wrote to memory of 1316	1128	RKC7204.exe	86
PID 1316 wrote to memory of 1544	1316	cmd.exe	88
PID 1316 wrote to memory of 1544	1316	cmd.exe	88
PID 1316 wrote to memory of 1608	1316	cmd.exe	89
PID 1316 wrote to memory of 1608	1316	cmd.exe	89

C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
"C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe DZOF6
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\system32\PING.EXE
    ping 8.8.7.7 -n 2
    3⤵
    - Runs ping.exe
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
    C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe DZOF6
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\RKC7204.exe DO32
      4⤵
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        5⤵
        Runs ping.exe
        
        PID:840
    - - C:\Users\Admin\AppData\Local\Temp\RKC7204.exe
        
        C:\Users\Admin\AppData\Local\Temp\RKC7204.exe DO32
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\rKC7204.exe JU0NGE
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        7⤵
        Runs ping.exe
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\RKC7204.exe
        
        C:\Users\Admin\AppData\Local\Temp\rKC7204.exe JU0NGE
        7⤵
        Executes dropped EXE
        
        PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1608-27-0x0000000001FF0000-0x0000000002013000-memory.dmp

Filesize
140KB

Download
memory/4768-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4768-4-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/4768-3-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing