bazarloader | 1625a3baefca74d244796f8ba85972350fda0994cf6752ac4d8ea8ff93052f42

General

Target

DialogGL.EXE
Size

224KB
MD5

3e494cf9a64f6836638f8f99d4015d5b
SHA1

de1d042453c77ba66bb9993c40245fd493fcb679
SHA256

1625a3baefca74d244796f8ba85972350fda0994cf6752ac4d8ea8ff93052f42
SHA512

e2db480175db189de53d35fe6a2318f9ccafec0ca709efa35d38444f52ab1a4db60a7ce9f4414131ee478dd262c50d904eec5eaf6fbd98b2ca2e95c590c89dee

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2028-61-0x00000000003D0000-0x00000000003E4000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2028-64-0x0000000000440000-0x0000000000456000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2028-67-0x00000000003B0000-0x00000000003C1000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1808-72-0x0000000001D80000-0x0000000001D96000-memory.dmp	BazarLoaderVar1

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 17 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	flow	ioc
HTTP URL	17	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

DialogGL.EXE

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 0f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8042000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 1400000001000000140000009653bfe809ca0570416fa79bf3ed6c164bfd0f8b030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8040f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e2000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 190000000100000010000000dd6103ff7ad901c6e5dc245d0e95442f0f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8041400000001000000140000009653bfe809ca0570416fa79bf3ed6c164bfd0f8b2000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DialogGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804	DialogGL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

DialogGL.EXEDialogGL.EXE

pid process

2028 DialogGL.EXE
2028 DialogGL.EXE
1808 DialogGL.EXE
1808 DialogGL.EXE

pid	process
2028	DialogGL.EXE
2028	DialogGL.EXE
1808	DialogGL.EXE
1808	DialogGL.EXE

C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE
"C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE
C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE {BD100145-C8FC-4B71-A3C6-375065B332A4}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1808

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

1

T1130

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-72-0x0000000001D80000-0x0000000001D96000-memory.dmp

Filesize
88KB

Download
memory/2028-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/2028-61-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/2028-64-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2028-67-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing