bazarloader | 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

General

Target

malware-bahaya-rt3ret3.exe
Size

236KB
MD5

efa4b2e7d7016a1f80efff5840de3a18
SHA1

04606786daa6313867c7ada1f0c9c925d9b602fb
SHA256

291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
SHA512

11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/664-114-0x0000000180000000-0x0000000180032000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

PLC7B21.exePLC7B21.exe

pid process

3864 PLC7B21.exe
2164 PLC7B21.exe

pid	process
3864	PLC7B21.exe
2164	PLC7B21.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

PLC7B21.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	PLC7B21.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ZUGLAD6YA = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v J9QIBEZUVZ /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\PLC7B21.exe\\\" FLOZK4E\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\PLC7B21.exe\" FLOZK4E"	PLC7B21.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2088 PING.EXE
3844 PING.EXE
2640 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

malware-bahaya-rt3ret3.exe

pid process

664 malware-bahaya-rt3ret3.exe
664 malware-bahaya-rt3ret3.exe

pid	process
2088	PING.EXE
3844	PING.EXE
2640	PING.EXE

pid	process
664	malware-bahaya-rt3ret3.exe
664	malware-bahaya-rt3ret3.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

malware-bahaya-rt3ret3.execmd.exemalware-bahaya-rt3ret3.execmd.exePLC7B21.execmd.exe

description	pid	process	target process
PID 664 wrote to memory of 2368	664	malware-bahaya-rt3ret3.exe	cmd.exe
PID 664 wrote to memory of 2368	664	malware-bahaya-rt3ret3.exe	cmd.exe
PID 2368 wrote to memory of 2640	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 2640	2368	cmd.exe	PING.EXE
PID 2368 wrote to memory of 2724	2368	cmd.exe	malware-bahaya-rt3ret3.exe
PID 2368 wrote to memory of 2724	2368	cmd.exe	malware-bahaya-rt3ret3.exe
PID 2724 wrote to memory of 2728	2724	malware-bahaya-rt3ret3.exe	cmd.exe
PID 2724 wrote to memory of 2728	2724	malware-bahaya-rt3ret3.exe	cmd.exe
PID 2728 wrote to memory of 2088	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 2088	2728	cmd.exe	PING.EXE
PID 2728 wrote to memory of 3864	2728	cmd.exe	PLC7B21.exe
PID 2728 wrote to memory of 3864	2728	cmd.exe	PLC7B21.exe
PID 3864 wrote to memory of 3036	3864	PLC7B21.exe	cmd.exe
PID 3864 wrote to memory of 3036	3864	PLC7B21.exe	cmd.exe
PID 3036 wrote to memory of 3844	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 3844	3036	cmd.exe	PING.EXE
PID 3036 wrote to memory of 2164	3036	cmd.exe	PLC7B21.exe
PID 3036 wrote to memory of 2164	3036	cmd.exe	PLC7B21.exe

C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe
"C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe BKCJC
2⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:2640

C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe
C:\Users\Admin\AppData\Local\Temp\malware-bahaya-rt3ret3.exe BKCJC
3⤵
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe XGAA
4⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:2088

C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe XGAA
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3864

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe FLOZK4E
6⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:3844

C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe FLOZK4E
7⤵
- Executes dropped EXE
PID:2164

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe
MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe
MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLC7B21.exe
MD5
efa4b2e7d7016a1f80efff5840de3a18

SHA1
04606786daa6313867c7ada1f0c9c925d9b602fb

SHA256
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b

SHA512
11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced

Download Submit
memory/664-114-0x0000000180000000-0x0000000180032000-memory.dmp

Filesize
200KB

Download
memory/2088-124-0x0000000000000000-mapping.dmp

Download
memory/2164-133-0x0000000000000000-mapping.dmp

Download
memory/2368-117-0x0000000000000000-mapping.dmp

Download
memory/2640-118-0x0000000000000000-mapping.dmp

Download
memory/2724-119-0x0000000000000000-mapping.dmp

Download
memory/2728-123-0x0000000000000000-mapping.dmp

Download
memory/3036-131-0x0000000000000000-mapping.dmp

Download
memory/3844-132-0x0000000000000000-mapping.dmp

Download
memory/3864-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads