bazarloader | 258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

General

Target

81e6dcf2510ffc2400743e912448013f.exe
Size

316KB
MD5

81e6dcf2510ffc2400743e912448013f
SHA1

b1b29fff6348b805851513ce8812990a2f5a4e39
SHA256

258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4
SHA512

f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4768-2-0x0000000000400000-0x0000000000425000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4768-3-0x0000000000430000-0x0000000000453000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4768-4-0x00000000001B0000-0x00000000001D2000-memory.dmp	BazarLoaderVar1
behavioral2/memory/1608-27-0x0000000001FF0000-0x0000000002013000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

RKC7204.exeRKC7204.exe

pid process

1128 RKC7204.exe
1608 RKC7204.exe

pid	process
1128	RKC7204.exe
1608	RKC7204.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RKC7204.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\D51AM76CR = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v B5CUQFXB6P /t REG_SZ /d \"C:\\Users\\Admin\\AppData\\Local\\Temp\\RKC7204.exe JU0NGE\" & start \"H\" C:\\Users\\Admin\\AppData\\Local\\Temp\\RKC7204.exe JU0NGE"	RKC7204.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RKC7204.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1544 PING.EXE
4320 PING.EXE
840 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

81e6dcf2510ffc2400743e912448013f.exe

pid process

4768 81e6dcf2510ffc2400743e912448013f.exe
4768 81e6dcf2510ffc2400743e912448013f.exe

pid	process
1544	PING.EXE
4320	PING.EXE
840	PING.EXE

pid	process
4768	81e6dcf2510ffc2400743e912448013f.exe
4768	81e6dcf2510ffc2400743e912448013f.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

81e6dcf2510ffc2400743e912448013f.execmd.exe81e6dcf2510ffc2400743e912448013f.execmd.exeRKC7204.execmd.exe

description	pid	process	target process
PID 4768 wrote to memory of 4200	4768	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 4768 wrote to memory of 4200	4768	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 4200 wrote to memory of 4320	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4320	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 528	4200	cmd.exe	81e6dcf2510ffc2400743e912448013f.exe
PID 4200 wrote to memory of 528	4200	cmd.exe	81e6dcf2510ffc2400743e912448013f.exe
PID 528 wrote to memory of 880	528	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 528 wrote to memory of 880	528	81e6dcf2510ffc2400743e912448013f.exe	cmd.exe
PID 880 wrote to memory of 840	880	cmd.exe	PING.EXE
PID 880 wrote to memory of 840	880	cmd.exe	PING.EXE
PID 880 wrote to memory of 1128	880	cmd.exe	RKC7204.exe
PID 880 wrote to memory of 1128	880	cmd.exe	RKC7204.exe
PID 1128 wrote to memory of 1316	1128	RKC7204.exe	cmd.exe
PID 1128 wrote to memory of 1316	1128	RKC7204.exe	cmd.exe
PID 1316 wrote to memory of 1544	1316	cmd.exe	PING.EXE
PID 1316 wrote to memory of 1544	1316	cmd.exe	PING.EXE
PID 1316 wrote to memory of 1608	1316	cmd.exe	RKC7204.exe
PID 1316 wrote to memory of 1608	1316	cmd.exe	RKC7204.exe

C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
"C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe DZOF6
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4200
- - C:\Windows\system32\PING.EXE
    ping 8.8.7.7 -n 2
    3⤵
    - Runs ping.exe
    PID:4320
- - C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe
    C:\Users\Admin\AppData\Local\Temp\81e6dcf2510ffc2400743e912448013f.exe DZOF6
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:528
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\RKC7204.exe DO32
      4⤵
      Suspicious use of WriteProcessMemory
      PID:880
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        5⤵
        Runs ping.exe
        
        PID:840
    - - C:\Users\Admin\AppData\Local\Temp\RKC7204.exe
        
        C:\Users\Admin\AppData\Local\Temp\RKC7204.exe DO32
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1128
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.7.7 -n 2 & start C:\Users\Admin\AppData\Local\Temp\rKC7204.exe JU0NGE
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.7.7 -n 2
        7⤵
        Runs ping.exe
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\RKC7204.exe
        
        C:\Users\Admin\AppData\Local\Temp\rKC7204.exe JU0NGE
        7⤵
        Executes dropped EXE
        
        PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RKC7204.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKC7204.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RKC7204.exe

MD5
81e6dcf2510ffc2400743e912448013f

SHA1
b1b29fff6348b805851513ce8812990a2f5a4e39

SHA256
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4

SHA512
f1e8cc52664acb684ab9f06227d28de19629de888fdb73ad42f325199e587388301751cdd8c10680127b5d6a439c98da9a25252951ba6bb26648880714a596bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

MD5
cf55af6d1c670fd63c2fbea5c4782d27

SHA1
276a47f3b2927c8eb380e570ddb7fb369f00c133

SHA256
e7a41647b7c434676352697a2b792c6ac658e441d061815aec650568280613e6

SHA512
551cb94fec22f654a12ab570ae31a5689f08fc5fd32abc414b8cfb68370d47e8676e868135d97106092345ac4a201030aa25f71f78e5c57b42f61529c1cdce14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

MD5
3b0b20483c0df75bf8ad4ba09ab653ed

SHA1
765837e61d7feaa747277add82929957a7d2b41e

SHA256
829b4de61cc0c02fecdeb39153e24ee994aa3d8135edbe6b4889a9b7b6ad3fb6

SHA512
c0c997e676e5defad841c87e8685cfdc252749c35d3ec9f4006f298c57d5a400c51a1af10a116d941510e4b6f990c61be1af83431feb9f8602a04a7df2be43c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3341490333-719741536-2920803124-1000\0f5007522459c86e95ffcc62f32308f1_4a1d5b5d-6336-41a4-a4da-b4af65e6deff

MD5
42c24aa8e94d0bc2831e79ab03a411d7

SHA1
4c9082533b68b00ce8cf4d9019fd57ca10757589

SHA256
e63a59f9dccc0217171879c04993ab821ab6bee54b2a2ef0362cd78e05eea8b4

SHA512
ec97d172d91a314040d2beba1c83338a42900c5f2497b01422a1e8454f8776f8b4ca92db7c9a7c238dcaa730c98d2e50ea4d2e7bab040e9745c9835d1c151e3f

Download Submit
memory/528-7-0x0000000000000000-mapping.dmp

Download
memory/840-13-0x0000000000000000-mapping.dmp

Download
memory/880-12-0x0000000000000000-mapping.dmp

Download
memory/1128-14-0x0000000000000000-mapping.dmp

Download
memory/1316-21-0x0000000000000000-mapping.dmp

Download
memory/1544-22-0x0000000000000000-mapping.dmp

Download
memory/1608-23-0x0000000000000000-mapping.dmp

Download
memory/1608-27-0x0000000001FF0000-0x0000000002013000-memory.dmp

Filesize
140KB

Download
memory/4200-5-0x0000000000000000-mapping.dmp

Download
memory/4320-6-0x0000000000000000-mapping.dmp

Download
memory/4768-2-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/4768-4-0x00000000001B0000-0x00000000001D2000-memory.dmp

Filesize
136KB

Download
memory/4768-3-0x0000000000430000-0x0000000000453000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads