bazarloader | 1625a3baefca74d244796f8ba85972350fda0994cf6752ac4d8ea8ff93052f42

General

Target

DialogGL.EXE
Size

224KB
MD5

3e494cf9a64f6836638f8f99d4015d5b
SHA1

de1d042453c77ba66bb9993c40245fd493fcb679
SHA256

1625a3baefca74d244796f8ba85972350fda0994cf6752ac4d8ea8ff93052f42
SHA512

e2db480175db189de53d35fe6a2318f9ccafec0ca709efa35d38444f52ab1a4db60a7ce9f4414131ee478dd262c50d904eec5eaf6fbd98b2ca2e95c590c89dee

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

resource	yara_rule
behavioral1/memory/2028-61-0x00000000003D0000-0x00000000003E4000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2028-64-0x0000000000440000-0x0000000000456000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2028-67-0x00000000003B0000-0x00000000003C1000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1808-72-0x0000000001D80000-0x0000000001D96000-memory.dmp	BazarLoaderVar1

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

description	flow	ioc
HTTP URL	17	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 0f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8042000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 1400000001000000140000009653bfe809ca0570416fa79bf3ed6c164bfd0f8b030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8040f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e2000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804\Blob = 190000000100000010000000dd6103ff7ad901c6e5dc245d0e95442f0f0000000100000020000000fb0572570a9a42e1c7d0937283f0cf7957a8e2d8ca1b43e995d0602d8493656e030000000100000014000000aa432e342d22e6c0593c523a85685c5c02c4b8041400000001000000140000009653bfe809ca0570416fa79bf3ed6c164bfd0f8b2000000001000000f9020000308202f5308201dda00302010202104bca4bd8ddc18988aa683b112706b736300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3231303930323133303030305a170d3236303930313133303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100b612d5fed17f69196f1c36c8a7157b44bb5789c4ee593e22fdd0fed9682912a6a831652ffbf5c36354a8c3338641fee7a365564803a3dc8eb5e0d0562e2ca32083268c1122695803f17f578c46c9b82d5973da6e608dd78a9d526d8ccdd85e5595bb0cfeaa2bb09127bc5511882c745d12553ff484b6e4d4e21b0c02a6042649404de6323ffb172ac8a2559d8ce24956e1584987d4256f6cd5aa29942af99758a4690df4eea3820226fb1b84975059d81d7e9e53b96bc5019a211e6b7053e56c56f2ded89f35c3538d2b0fce54214693adaf319df401756543b1e0b9016a2db8e5fb6ed998fb8bcb5c437a6ef88337622f13df73c128127484ab2af5501912a90203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604149653bfe809ca0570416fa79bf3ed6c164bfd0f8b300d06092a864886f70d01010b05000382010100b49e2617f0e65a68dcfc648ec2b2cede651dba7309a2f637448f0ea66af2ac3719989d1b15d1e06f14be325b114c53e5f57011f609fb20b8c385c8278196a5bff2b0fcc3b1a647111c6fe7b983cd6397ffcc78d5765e5fc888808e1dbcd4df875b4b32f5be6d92b8d5c67dbb9fdc9fb1d5bdf3d0225119ba992165112f9d1d7eef45ba277b506f44d9ceeb9634096dbc6b4a6b9a53e10b2f0497f2247163609d39bd45d91b08aedae6939967869b682bbd6534140bb677c577e31308a3a519277cbd76a99825e651944bb8fef0f1057fce35c198e24ed6e0a14d7bc30447f5de7cb3841a28c62cc40eec83cb4c2ff11d2a23f39c1e7c48026e00b7adeb517e38	DialogGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	DialogGL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	DialogGL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\AA432E342D22E6C0593C523A85685C5C02C4B804	DialogGL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	DialogGL.EXE
2028	DialogGL.EXE
1808	DialogGL.EXE
1808	DialogGL.EXE

C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE
"C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE"
1⤵
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE
C:\Users\Admin\AppData\Local\Temp\DialogGL.EXE {BD100145-C8FC-4B71-A3C6-375065B332A4}
1⤵
- Suspicious use of SetWindowsHookEx
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1808-72-0x0000000001D80000-0x0000000001D96000-memory.dmp

Filesize
88KB

Download
memory/2028-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/2028-61-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/2028-64-0x0000000000440000-0x0000000000456000-memory.dmp

Filesize
88KB

Download
memory/2028-67-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing