bazarloader | 93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954

Target

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Size

564KB
MD5

43de3367faeffa04f28ad1e3e1f154eb
SHA1

f75d1719bb9a2f6a628a521a827bfbf26e44b9a2
SHA256

93d3f7173b0983274a93717c4c605ff9e85d6cce59a17bd965ca881e436c1954
SHA512

53825602540b72bf294ee47f06a682b809140fd982f6ab99a02e5dc0251774c5eb7243ab2117218f54512e2ee59e100d3644bbc509d40db7da9f52dd72b67069

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2004-59-0x0000000000350000-0x000000000038E000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1088-61-0x0000000000360000-0x000000000039E000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
41	wyofygre.bazar
51	wyfyekom.bazar
57	viegwyvi.bazar
99	evusygre.bazar
101	ewsawyyw.bazar
103	viivygyw.bazar
113	meteavom.bazar
115	eregwyom.bazar
24	ekifwyvi.bazar
32	reyswyyw.bazar
96	erivekvi.bazar
116	wausekyw.bazar
80	evteekom.bazar
81	udurekre.bazar
87	yzivavvi.bazar
90	toinygom.bazar
91	toinygom.bazar
31	vixaekvi.bazar
60	avinwyyw.bazar
63	viarekvi.bazar
111	onipygom.bazar
55	evtewyom.bazar
56	evofekom.bazar
64	waifwyyw.bazar
72	erivekom.bazar
106	ewarwyre.bazar
26	yzxawyom.bazar
36	ewofygvi.bazar
49	ersawyvi.bazar
38	ywsawyom.bazar
44	onipekre.bazar
43	ygipygyw.bazar
66	ygsaavre.bazar
82	toipygyw.bazar
70	evyvavvi.bazar
92	toinekvi.bazar
94	meenwyyw.bazar
95	evifavvi.bazar
21	vacationinsydney2021.bazar
25	soegygom.bazar
28	viarygyw.bazar
71	vialekre.bazar
74	wyinekvi.bazar
48	omatygre.bazar
59	yginygvi.bazar
62	ygozygvi.bazar
86	ewofygom.bazar
88	reipygvi.bazar
37	onenwyre.bazar
58	yrtewyvi.bazar
77	soyvwyyw.bazar
89	wyatavom.bazar
98	evusygre.bazar
102	viivygyw.bazar
114	evfyygre.bazar
52	omivekom.bazar
53	ekuswyvi.bazar
84	toenekvi.bazar
112	meteavom.bazar
42	ywsawyre.bazar
76	ewatekom.bazar
85	toenekvi.bazar
45	reatygyw.bazar
47	ygifavom.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 16 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	flow	ioc
HTTP URL	16	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	SecuriteInfo.com.ArtemisTrojan.25081.13158.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe"
1⤵
- Modifies system certificate store
PID:2004

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.ArtemisTrojan.25081.13158.exe 1983936737
1⤵
PID:1088

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1088-61-0x0000000000360000-0x000000000039E000-memory.dmp

Filesize
248KB

Download
memory/2004-59-0x0000000000350000-0x000000000038E000-memory.dmp

Filesize
248KB

Download
memory/2004-60-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

Filesize
8KB

Download