bazarloader | d384dfdd90da4645a8d74956534cfcef7fcbbf4ed654e61b3d27384616b4bc4a | Triage

Analysis

max time kernel
150s
max time network
157s
platform
windows10_x64
resource
win10v20210408
submitted
04-08-2021 16:07

Sharing

Report Analysis Logs

General

Target

htmlDefineFunc.jpg.dll
Size

254KB
MD5

94b1dd32c7b1f7a4d9d0dd7e4c301dd6
SHA1

17ec04d523899e9c63645aed68058404dbeeb557
SHA256

d384dfdd90da4645a8d74956534cfcef7fcbbf4ed654e61b3d27384616b4bc4a
SHA512

4873dfc934f5f58d2ac187af1233ca34f0b04737e0cb9aea8a5639fc1fb413bab1d232d6e56e7b9df6260b07eb87de1a0bd3b7499566220d432ebd4879697a58

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/636-114-0x00000000027D0000-0x000000000295C000-memory.dmp	BazarLoaderVar6
behavioral2/memory/3156-115-0x0000020A45860000-0x0000020A459EC000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
49	omîömyir.bazar
87	ew°jkeir.bazar
103	ywécwyom.bazar
115	viîýmyvi.bazar
123	wyéckevi.bazar
128	loëãwyom.bazar
137	yw°javir.bazar
45	soëãkevi.bazar
210	reîöwyom.bazar
221	irëãavom.bazar
224	noîöwyir.bazar
171	yzécavyw.bazar
157	irécmyom.bazar
161	ca1myvi.bazar
192	yrèiavvi.bazar
235	yzëãwyyw.bazar
59	loîöavyw.bazar
164	yrëãkeir.bazar
173	avîýwyvi.bazar
231	vi1wyvi.bazar
233	wa°jmyom.bazar
61	toécmyir.bazar
65	av1myom.bazar
66	no°jwyir.bazar
67	reëãmyvi.bazar
93	myécwyyw.bazar
109	avèiwyom.bazar
148	wy1keir.bazar
239	avîökevi.bazar
47	lokùwyvi.bazar
92	keê”keyw.bazar
106	lo1wyyw.bazar
129	toèikevi.bazar
159	noîýavir.bazar
169	loê”avir.bazar
179	ywèiavyw.bazar
48	lokùwyvi.bazar
62	doä¨keir.bazar
107	om°jmyom.bazar
144	doécmyyw.bazar
39	irê”avyw.bazar
110	dokùmyir.bazar
112	noê”keir.bazar
194	rekùkeir.bazar
73	irä¨myvi.bazar
85	irîýkeyw.bazar
153	vikùwyom.bazar
155	omê”avom.bazar
230	loîýkeir.bazar
56	keëãkeir.bazar
41	wyä¨keyw.bazar
143	doécmyyw.bazar
166	sokùwyir.bazar
203	yz1avom.bazar
208	nokùmyyw.bazar
234	yzëãwyyw.bazar
34	yellowdownpour81.bazar
79	keèiavvi.bazar
168	loê”avir.bazar
188	ewîýwyir.bazar
204	ir°jkeir.bazar
211	reîöwyom.bazar
212	yrê”keyw.bazar
240	caê”myyw.bazar

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 25 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\htmlDefineFunc.jpg.dll
1⤵
PID:636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\htmlDefineFunc.jpg.dll,StartW 2207200445
1⤵
PID:3156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-114-0x00000000027D0000-0x000000000295C000-memory.dmp

Filesize
1.5MB

Download
memory/3156-115-0x0000020A45860000-0x0000020A459EC000-memory.dmp

Filesize
1.5MB

Download