bazarloader | 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b

General

Target

57e8ac3aec87c298a240dc0853747dd5.exe
Size

274KB
MD5

57e8ac3aec87c298a240dc0853747dd5
SHA1

02477a72571cdc7f83fa10d78873aebf7377df43
SHA256

0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b
SHA512

778a284e0cfc62bbe954e5c635cc04766948dedd87d7ea14b8755bc0d43caf14fdbaed3148e17e09b7549dc31ee09768dac71db2bf8132e95ffc1e203bdbedf1

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4004-114-0x0000000180000000-0x0000000180028000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
50	rareanimalsofcanada18.bazar
63	rareanimalsofcanada18.bazar
201	coldmountainsanimals.bazar
186	wildwinternature.bazar
37	wildwinternature.bazar
111	rareanimalsofcanada18.bazar
121	wildwinternature.bazar
172	wildwinternature.bazar
25	rareanimalsofcanada18.bazar
124	wildwinternature.bazar
189	coldmountainsanimals.bazar
123	wildwinternature.bazar
150	wildwinternature.bazar
221	coldmountainsanimals.bazar
38	wildwinternature.bazar
39	wildwinternature.bazar
73	rareanimalsofcanada18.bazar
117	rareanimalsofcanada18.bazar
238	coldmountainsanimals.bazar
28	rareanimalsofcanada18.bazar
85	rareanimalsofcanada18.bazar
96	rareanimalsofcanada18.bazar
160	wildwinternature.bazar
222	coldmountainsanimals.bazar
242	coldmountainsanimals.bazar
141	wildwinternature.bazar
122	wildwinternature.bazar
173	wildwinternature.bazar
54	rareanimalsofcanada18.bazar
97	rareanimalsofcanada18.bazar
105	rareanimalsofcanada18.bazar
120	wildwinternature.bazar
51	rareanimalsofcanada18.bazar
181	wildwinternature.bazar
128	wildwinternature.bazar
131	wildwinternature.bazar
169	wildwinternature.bazar
244	coldmountainsanimals.bazar
31	rareanimalsofcanada18.bazar
64	rareanimalsofcanada18.bazar
89	rareanimalsofcanada18.bazar
101	rareanimalsofcanada18.bazar
102	rareanimalsofcanada18.bazar
48	coldmountainsanimals.bazar
53	rareanimalsofcanada18.bazar
59	rareanimalsofcanada18.bazar
217	coldmountainsanimals.bazar
239	coldmountainsanimals.bazar
80	rareanimalsofcanada18.bazar
83	rareanimalsofcanada18.bazar
171	wildwinternature.bazar
182	wildwinternature.bazar
200	coldmountainsanimals.bazar
206	coldmountainsanimals.bazar
237	coldmountainsanimals.bazar
142	wildwinternature.bazar
164	wildwinternature.bazar
187	wildwinternature.bazar
205	coldmountainsanimals.bazar
90	rareanimalsofcanada18.bazar
115	rareanimalsofcanada18.bazar
47	coldmountainsanimals.bazar
174	wildwinternature.bazar
219	coldmountainsanimals.bazar

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

57e8ac3aec87c298a240dc0853747dd5.exe

description	pid	process	target process
PID 4004 wrote to memory of 3612	4004	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe
PID 4004 wrote to memory of 3612	4004	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe
PID 4004 wrote to memory of 3612	4004	57e8ac3aec87c298a240dc0853747dd5.exe	57e8ac3aec87c298a240dc0853747dd5.exe

C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe
"C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe
"C:\Users\Admin\AppData\Local\Temp\57e8ac3aec87c298a240dc0853747dd5.exe"
2⤵
PID:3612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3612-120-0x0000000000000000-mapping.dmp

Download
memory/4004-114-0x0000000180000000-0x0000000180028000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads