bazarloader | 8287e916655be8dabc37550610daa219f5d5351eb8521da64ee9a22f9af7b5e4

Sharing

Copy URL

Twitter E-mail

General

Target

2021-04-07-BazaLoader-malware-and-artifacts.zip
Size

558KB
Sample

210408-5wn1eg76y6
MD5

79504ee399da4dcd08e91404878c13ec
SHA1

4b3bf6815944f74a82a183c4ce21eebac1a250da
SHA256

8287e916655be8dabc37550610daa219f5d5351eb8521da64ee9a22f9af7b5e4
SHA512

c88b0b7ca1bfe2a9cbb107dfced15e1ddf78d40c24408010fb8b91991ed15df6a6e7d750fe1ed2460eaaaa21f796dd5cc3123e7252eaedffeb4afdf776439068

Score

10^/10

Malware Config

Extracted

Family

cobaltstrike

Version

windows/download_exec

http://smollpush.com:443/jquery-3.3.2.slim.min.js

Extracted

Family

cobaltstrike

http://smollpush.com:443/jquery-3.3.1.min.js

Attributes

access_type
512
beacon_type
2048
host
smollpush.com,/jquery-3.3.1.min.js
http_header1
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADQAAAAIAAAAJX19jZmR1aWQ9AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_header2
AAAACgAAAEdBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LCovKjtxPTAuOAAAAAoAAAAgUmVmZXJlcjogaHR0cDovL2NvZGUuanF1ZXJ5LmNvbS8AAAAKAAAAHkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQAAAAcAAAAAAAAADwAAAA0AAAAFAAAACF9fY2ZkdWlkAAAABwAAAAEAAAAPAAAADQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
http_method1
GET
http_method2
POST
jitter
9472
polling_time
45000
port_number
443
sc_process32
%windir%\syswow64\dllhost.exe
sc_process64
%windir%\sysnative\dllhost.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbe+02Ud/juhqbqhjsncHYLOR6MZNiBCycXGj2BZDxOc26CglUSVgOZlGLzO43QJBZyUCnY7D4XuJuFBb9k4dg9DuyZNrY8AigHPYgEZ8KtbPzEryuZbk+BuYpbR/YYjhKW+929s2L6YWk3jppq4/7G3lBvnfZlYXUEKZQQk8SWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4.234810624e+09
unknown2
AAAABAAAAAEAAAXyAAAAAgAAAFQAAAACAAAPWwAAAA0AAAAPAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/jquery-3.3.2.min.js
user_agent
Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko

Extracted

Language

xlm4.0

Source

Targets

- Target
  
  14118.biy
- Size
  
  42KB
- MD5
  
  64ee7574265691eb7636af9de468ce11
- SHA1
  
  66486c4d36d82d0c2eaefe4d6cf170224b1fb1af
- SHA256
  
  df16b3c76350f340988759cc21a78a7cf16831f08e95eb7592b86942859f863a
- SHA512
  
  6a2d2b1c19bfe05af7457d5faf61f1bcaebed1955f3210b62c187a51242f4fd565b479be38e36facbda9ef45d3f80d41e491e550bef027ad33d33e851970de70
Score

8^/10
- Blocklisted process makes network request
behavioral1 behavioral2
- Target
  
  14118.xlsb
- Size
  
  56KB
- MD5
  
  317dfc2b5b8ced1ca8f228b251081eaf
- SHA1
  
  0d0c90c11e9413e38d1b7af7632022ca32af58dd
- SHA256
  
  5d75b97d969ff3eb4459e9bf5d21d650667e9094f527744c7384241d77a0281e
- SHA512
  
  be7a6bc219a6523c70b7701f269e933720f3cc7fef8a277cc03d781d56f660a97c950f1fbcc3f26270fae597128b3847233d8608964ba4789e3be8163401883b
Score

1^/10
behavioral3 behavioral4
- Target
  
  B24C.tmp.dll
- Size
  
  258KB
- MD5
  
  6f1ba217f598f69832d4bc961f9d10f9
- SHA1
  
  488ca142f1bbe9fdaed78af7632ee8a299dcb3ff
- SHA256
  
  7a020c1642d0e16a664bbab7234d0398616f4e90188cc2fba6e040b52b4e299b
- SHA512
  
  d918188bd48b30935de8aa1f2b1a0325bf514602e0a03a0193332eb8a2a3426b0f93183d861e1f6b8c02e98cf4f28ef741de51e7c722adcd654c8af8b3e2d7af
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral5 behavioral6
- Target
  
  NZM32A4.exe
- Size
  
  98KB
- MD5
  
  c41188e4415567a1465712a6c85331a6
- SHA1
  
  2cbf699017e281693a517ff3c9e78f34e4126d6c
- SHA256
  
  efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
- SHA512
  
  f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f
Score

10^/10

bazarloader dropper loader
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Bazar/Team9 Loader payload
behavioral7 behavioral8
- Target
  
  subscription_1617817060.xlsb
- Size
  
  249KB
- MD5
  
  e1edead6d69e4c33cf44904ef2bd0b0f
- SHA1
  
  e357ddf5ece78bac5666462c264a736230ef239f
- SHA256
  
  c76bb9443baff9e799b3b1cd7c4bd18759ff17acf50f2c3e6f9970caf3015a8f
- SHA512
  
  806d031cb21545d39cf32818467c924471d6f37328eff8ecd990253ea7bef2659bd723098ef918af77c5f91715ca5240398f6f09f25e8d57ed093bfb7d06529f
Score

10^/10
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Loads dropped DLL
behavioral9 behavioral10
- Target
  
  thqsg.exe
- Size
  
  98KB
- MD5
  
  c41188e4415567a1465712a6c85331a6
- SHA1
  
  2cbf699017e281693a517ff3c9e78f34e4126d6c
- SHA256
  
  efb6ef1dffa3bc6f3b7796be4f5681b9da6a243b09029c2381b4009bf6b6eb3d
- SHA512
  
  f46005717396e13624ca420fe7e8c0d4b132e47485b3684a74ce3c83e253387ce3fd8b234d4e1a592540dd342f3af8046a89d41ecc21dbe83051594b378c218f
Score

10^/10

bazarloader dropper loader
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Bazar/Team9 Loader payload
behavioral11 behavioral12

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Blocklisted process makes network request

Cobaltstrike

Blocklisted process makes network request

Bazar Loader

Bazar/Team9 Loader payload

Process spawned unexpected child process

Blocklisted process makes network request

Loads dropped DLL

Bazar Loader

Bazar/Team9 Loader payload

MITRE ATT&CK Matrix ATT&CK v6

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12