bazarloader | 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b

General

Target

57e8ac3aec87c298a240dc0853747dd5.exe
Size

274KB
MD5

57e8ac3aec87c298a240dc0853747dd5
SHA1

02477a72571cdc7f83fa10d78873aebf7377df43
SHA256

0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b
SHA512

778a284e0cfc62bbe954e5c635cc04766948dedd87d7ea14b8755bc0d43caf14fdbaed3148e17e09b7549dc31ee09768dac71db2bf8132e95ffc1e203bdbedf1

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1964-59-0x0000000180000000-0x0000000180028000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
41	coldmountainsanimals.bazar
44	rareanimalsofcanada18.bazar
76	rareanimalsofcanada18.bazar
83	rareanimalsofcanada18.bazar
23	rareanimalsofcanada18.bazar
50	rareanimalsofcanada18.bazar
75	rareanimalsofcanada18.bazar
67	rareanimalsofcanada18.bazar
68	rareanimalsofcanada18.bazar
84	rareanimalsofcanada18.bazar
25	rareanimalsofcanada18.bazar
55	rareanimalsofcanada18.bazar
79	rareanimalsofcanada18.bazar
81	rareanimalsofcanada18.bazar
21	rareanimalsofcanada18.bazar
33	wildwinternature.bazar
39	coldmountainsanimals.bazar
49	rareanimalsofcanada18.bazar
40	coldmountainsanimals.bazar
73	rareanimalsofcanada18.bazar
37	coldmountainsanimals.bazar
43	coldmountainsanimals.bazar
47	rareanimalsofcanada18.bazar
53	rareanimalsofcanada18.bazar
69	rareanimalsofcanada18.bazar
86	rareanimalsofcanada18.bazar
22	rareanimalsofcanada18.bazar
29	wildwinternature.bazar
48	rareanimalsofcanada18.bazar
61	rareanimalsofcanada18.bazar
64	rareanimalsofcanada18.bazar
46	rareanimalsofcanada18.bazar
30	wildwinternature.bazar
45	rareanimalsofcanada18.bazar
72	rareanimalsofcanada18.bazar
42	coldmountainsanimals.bazar
54	rareanimalsofcanada18.bazar
59	rareanimalsofcanada18.bazar
62	rareanimalsofcanada18.bazar
63	rareanimalsofcanada18.bazar
77	rareanimalsofcanada18.bazar
87	rareanimalsofcanada18.bazar
88	rareanimalsofcanada18.bazar
24	rareanimalsofcanada18.bazar
34	wildwinternature.bazar
35	wildwinternature.bazar
38	coldmountainsanimals.bazar
58	rareanimalsofcanada18.bazar
52	rareanimalsofcanada18.bazar
56	rareanimalsofcanada18.bazar
65	rareanimalsofcanada18.bazar
85	rareanimalsofcanada18.bazar
70	rareanimalsofcanada18.bazar
26	rareanimalsofcanada18.bazar
27	rareanimalsofcanada18.bazar
31	wildwinternature.bazar
57	rareanimalsofcanada18.bazar
60	rareanimalsofcanada18.bazar
82	rareanimalsofcanada18.bazar
28	wildwinternature.bazar
32	wildwinternature.bazar
51	rareanimalsofcanada18.bazar
71	rareanimalsofcanada18.bazar
74	rareanimalsofcanada18.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 15 https://api.opennicproject.org/geoip/?bare&ipv=4

description	flow	ioc
HTTP URL	15	https://api.opennicproject.org/geoip/?bare&ipv=4

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

57e8ac3aec87c298a240dc0853747dd5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	57e8ac3aec87c298a240dc0853747dd5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	57e8ac3aec87c298a240dc0853747dd5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

57e8ac3aec87c298a240dc0853747dd5.exe

description	pid	process	target process
PID 1964 wrote to memory of 1708	1964	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe
PID 1964 wrote to memory of 1708	1964	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe
PID 1964 wrote to memory of 1708	1964	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe
PID 1964 wrote to memory of 1708	1964	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe

C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe
"C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe
  "C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe"
  2⤵
  - Modifies system certificate store
  PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1708-65-0x0000000000000000-mapping.dmp

Download
memory/1708-72-0x000007FEFB541000-0x000007FEFB543000-memory.dmp

Filesize
8KB

Download
memory/1964-59-0x0000000180000000-0x0000000180028000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads