bazarloader | c6c49487b97174cf00ebc3a28b15e27f9c8cfbb57294cb588e67603322581ea8 | Triage

Sharing

General

Target

new-documents-2030.zip.zip
Size

355KB
Sample

211025-v8m91sgdh3
MD5

7bcb72e0ea43d8c34e9604238cbfb4eb
SHA1

58982fcd989573c75be3181b39eaaff0e80d31a0
SHA256

c6c49487b97174cf00ebc3a28b15e27f9c8cfbb57294cb588e67603322581ea8
SHA512

f8cdc08354e63a75ae2f6d3052bc588646617cb8bb99eebd59330eeb5569aad024821a110f614fcb23c875eeb76227b88d89f6d4c59bd1170486df7a8bd8278c

Score

10^/10

bazarloader dropper loader

Malware Config

Targets

- Target
  
  Documents.lnk
- Size
  
  1KB
- MD5
  
  4d8af5ba95aa23f7162b7bbf8622d801
- SHA1
  
  d5b8c1a219686be5b75e58c560609023b491d9aa
- SHA256
  
  e87f9f378590b95de1b1ef2aaab84e1d00f210fd6aaf5025d815f33096c9d162
- SHA512
  
  f64416dbce111afe375efe031b05ed5b5b5c00c956d3c419d733147e4f0e751a60f3a22c72c36d45841abf85013c9647c6dc040cdd3d56c9b8cc35bccfd60d2c
Score

10^/10

bazarloader dropper loader
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Bazar/Team9 Loader payload
- Blocklisted process makes network request
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  SharedFiles.dll
- Size
  
  601KB
- MD5
  
  adf5dc4ac48443f7042237921620a740
- SHA1
  
  492528054a7de48cfab7ca982bfd7a5459b3e062
- SHA256
  
  b60a22be0a21e0a4c52a0fe0fecc2b55205297e1ddafd2364f75b46b8deedb74
- SHA512
  
  ae629b9181b773a00d6ac74dc2b262fe87995c8f5ae58ae3c3a7b2d7784b99dc382ef41fa02ff35bbdfea76aac638fa7a43b6fc00ea6fdc5b66a1bcca60568ba
Score

10^/10

bazarloader dropper loader
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Bazar/Team9 Loader payload
- Blocklisted process makes network request
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Suspicious use of SetThreadContext
behavioral3 behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarloaderdropperloader

behavioral2

bazarloaderdropperloader

behavioral3

bazarloaderdropperloader

behavioral4

bazarloaderdropperloader