bazarloader | d384dfdd90da4645a8d74956534cfcef7fcbbf4ed654e61b3d27384616b4bc4a | Triage

Analysis

max time kernel
145s
max time network
194s
platform
windows7_x64
resource
win7v20210410
submitted
04-08-2021 16:07

Sharing

Report Analysis Logs

General

Target

htmlDefineFunc.jpg.dll
Size

254KB
MD5

94b1dd32c7b1f7a4d9d0dd7e4c301dd6
SHA1

17ec04d523899e9c63645aed68058404dbeeb557
SHA256

d384dfdd90da4645a8d74956534cfcef7fcbbf4ed654e61b3d27384616b4bc4a
SHA512

4873dfc934f5f58d2ac187af1233ca34f0b04737e0cb9aea8a5639fc1fb413bab1d232d6e56e7b9df6260b07eb87de1a0bd3b7499566220d432ebd4879697a58

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-60-0x0000000001D30000-0x0000000001EBC000-memory.dmp	BazarLoaderVar6
behavioral1/memory/536-61-0x0000000001D10000-0x0000000001E9C000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 45 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
46	keGVmyir.bazar
50	loðáavyw.bazar
20	whitestorm9p.bazar
30	yzlkeir.bazar
32	ew8œwyir.bazar
35	do’¾kevi.bazar
43	ir’¾keir.bazar
56	yrg‡avir.bazar
61	wa’¾myom.bazar
31	toðámyvi.bazar
49	vilmyom.bazar
52	yz’¾myvi.bazar
53	omîçwyom.bazar
54	doáðkeir.bazar
44	toîçwyyw.bazar
48	so¥ˆwyyw.bazar
51	om8œkeom.bazar
25	bluecloud21c.bazar
29	soGVmyvi.bazar
38	myg‡avyw.bazar
41	omðámyir.bazar
42	to8œkeyw.bazar
59	myðáavom.bazar
66	re¥ˆkeyw.bazar
68	ywðáwyyw.bazar
28	yellowdownpour81.bazar
36	ewîçavir.bazar
55	reGVavvi.bazar
63	iráðmyvi.bazar
65	wyg‡wyvi.bazar
24	whitestorm9p.bazar
45	caáðkeom.bazar
58	solmyir.bazar
67	kelavvi.bazar
70	vi’¾avyw.bazar
39	vi¥ˆavir.bazar
47	ywg‡avom.bazar
57	ke¥ˆwyom.bazar
64	noGVavom.bazar
69	my8œmyvi.bazar
29	wa¥ˆavvi.bazar
37	wyáðkeyw.bazar
40	walmyyw.bazar
60	lo8œkeir.bazar
62	loîçwyir.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 13 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\htmlDefineFunc.jpg.dll
1⤵
PID:1644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\htmlDefineFunc.jpg.dll,StartW 1861193117
1⤵
PID:536

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-61-0x0000000001D10000-0x0000000001E9C000-memory.dmp

Filesize
1.5MB

Download
memory/1644-59-0x000007FEFBFF1000-0x000007FEFBFF3000-memory.dmp

Filesize
8KB

Download
memory/1644-60-0x0000000001D30000-0x0000000001EBC000-memory.dmp

Filesize
1.5MB

Download