bazarloader | 210c46aae3d71ecbac79447d124d895dded804c08342b17258cd4b400b0bebe0

Resubmissions

08-04-2021 06:31

210408-rf4c3mtwdx 10

07-04-2021 04:47

210407-l95ennpj9x 8

Analysis

max time kernel
150s
max time network
150s
platform
windows10_x64
resource
win10v20201028
submitted
08-04-2021 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dl8.exe
Size

271KB
MD5

0a6e27aa3415f502af6585bddf7e0d3e
SHA1

a8bdb01ef8a6e75ec200c5d4f6d9f32539dca9f2
SHA256

210c46aae3d71ecbac79447d124d895dded804c08342b17258cd4b400b0bebe0
SHA512

abd3b3d4e6251fe5231bf45186b43cb1d4aa5dc36fd79e71e4bf010d9adfbf2c6837d4606795be97a00911cd5d06326d7ed38656dbe7827ed33a59b0f140d479

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1400-2-0x00000147BEBE0000-0x00000147BEC10000-memory.dmp	BazarLoaderVar5
behavioral2/memory/3272-4-0x000001D641A40000-0x000001D641A70000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
106	rareanimalsofcanada18.bazar
48	coldmountainsanimals.bazar
81	rareanimalsofcanada18.bazar
122	wildwinternature.bazar
142	wildwinternature.bazar
146	wildwinternature.bazar
164	wildwinternature.bazar
170	wildwinternature.bazar
93	rareanimalsofcanada18.bazar
114	rareanimalsofcanada18.bazar
118	rareanimalsofcanada18.bazar
151	wildwinternature.bazar
29	rareanimalsofcanada18.bazar
47	coldmountainsanimals.bazar
176	wildwinternature.bazar
71	rareanimalsofcanada18.bazar
111	rareanimalsofcanada18.bazar
119	rareanimalsofcanada18.bazar
148	wildwinternature.bazar
94	rareanimalsofcanada18.bazar
109	rareanimalsofcanada18.bazar
74	rareanimalsofcanada18.bazar
127	wildwinternature.bazar
155	wildwinternature.bazar
168	wildwinternature.bazar
169	wildwinternature.bazar
58	rareanimalsofcanada18.bazar
62	rareanimalsofcanada18.bazar
139	wildwinternature.bazar
172	wildwinternature.bazar
97	rareanimalsofcanada18.bazar
130	wildwinternature.bazar
57	rareanimalsofcanada18.bazar
79	rareanimalsofcanada18.bazar
85	rareanimalsofcanada18.bazar
28	rareanimalsofcanada18.bazar
45	coldmountainsanimals.bazar
100	rareanimalsofcanada18.bazar
105	rareanimalsofcanada18.bazar
131	wildwinternature.bazar
156	wildwinternature.bazar
165	wildwinternature.bazar
68	rareanimalsofcanada18.bazar
83	rareanimalsofcanada18.bazar
101	rareanimalsofcanada18.bazar
102	rareanimalsofcanada18.bazar
123	wildwinternature.bazar
124	wildwinternature.bazar
143	wildwinternature.bazar
144	wildwinternature.bazar
59	rareanimalsofcanada18.bazar
96	rareanimalsofcanada18.bazar
175	wildwinternature.bazar
82	rareanimalsofcanada18.bazar
147	wildwinternature.bazar
92	rareanimalsofcanada18.bazar
134	wildwinternature.bazar
152	wildwinternature.bazar
159	wildwinternature.bazar
34	rareanimalsofcanada18.bazar
46	coldmountainsanimals.bazar
53	rareanimalsofcanada18.bazar
54	rareanimalsofcanada18.bazar
89	rareanimalsofcanada18.bazar

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

dl8.exe

description	pid	process	target process
PID 1400 wrote to memory of 3272	1400	dl8.exe	dl8.exe
PID 1400 wrote to memory of 3272	1400	dl8.exe	dl8.exe
PID 1400 wrote to memory of 3272	1400	dl8.exe	dl8.exe

C:\Users\Admin\AppData\Local\Temp\dl8.exe
"C:\Users\Admin\AppData\Local\Temp\dl8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\dl8.exe
"C:\Users\Admin\AppData\Local\Temp\dl8.exe"
2⤵
PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-2-0x00000147BEBE0000-0x00000147BEC10000-memory.dmp

Filesize
192KB

Download
memory/3272-3-0x0000000000000000-mapping.dmp

Download
memory/3272-4-0x000001D641A40000-0x000001D641A70000-memory.dmp

Filesize
192KB

Download