bazarloader | 11f3d84aad7131fe124155c9edfceb594649e87de1ee03383f470442d6ed69a1

Resubmissions

31-10-2021 06:34

211031-hbtpbaffb7 10

29-10-2021 13:36

211029-qwckjaabcq 10

Analysis

max time kernel
3589s
max time network
4515s
platform
windows10_x64
resource
win10-en-20211014
submitted
31-10-2021 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.php.dll
Size

329KB
MD5

9c9b58c38841af6f89ff90a746d63cec
SHA1

95481d6dfa4660bd24ac519561269b6fbd4571c1
SHA256

11f3d84aad7131fe124155c9edfceb594649e87de1ee03383f470442d6ed69a1
SHA512

7b32798e4652f05861cdb5e03abb1eeebe4183c4f5411cc73166fc1e31dab37c00104e3cc035b2fc9c8c3300b561c17b9cffccc8af79fbc78ea2b1b1e721b518

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3924 created 3032	3924	regsvr32.exe	22

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral2/memory/3924-115-0x0000000002590000-0x00000000027A0000-memory.dmp	BazarLoaderVar5
behavioral2/memory/1108-116-0x00000000020D0000-0x00000000022E0000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
1320	aqomekyw.bazar
307	aquheked.bazar
673	ydewuhom.bazar
674	ydewuhom.bazar
692	owtoeked.bazar
787	ypwyuhed.bazar
1150	etqeekom.bazar
1279	iqewidem.bazar
1415	hucauhyw.bazar
1496	ufemwyed.bazar
401	huomuhed.bazar
891	ehemeked.bazar
145	ehcaekem.bazar
308	aquheked.bazar
541	tuqeided.bazar
870	uconuhom.bazar
979	biewuhed.bazar
128	ucwyuhyw.bazar
283	fusouhem.bazar
769	huudekom.bazar
1154	etqeekom.bazar
1323	aqomekyw.bazar
1483	yponidem.bazar
384	extoekom.bazar
455	izywwyed.bazar
466	ypudekyw.bazar
990	aqtowyem.bazar
1177	ufonidyw.bazar
1349	biidekom.bazar
1420	agibekem.bazar
505	uccaeked.bazar
569	ehonuhyw.bazar
797	ufcawyem.bazar
1201	etsoidom.bazar
290	aquheked.bazar
383	extoekom.bazar
757	vuywuhem.bazar
1002	aqtowyem.bazar
1211	etsoidom.bazar
1178	ufonidyw.bazar
233	lionwyed.bazar
330	owacidyw.bazar
369	agewuhyw.bazar
487	ufwyuhom.bazar
496	uccaeked.bazar
578	liemekom.bazar
746	agidided.bazar
1338	iqcuuhem.bazar
1430	agibekem.bazar
617	fuuhwyyw.bazar
684	owtoeked.bazar
748	vuywuhem.bazar
1106	ypcawyom.bazar
1368	ydywidyw.bazar
516	etibidyw.bazar
734	agidided.bazar
1112	ypcawyom.bazar
1477	yponidem.bazar
1314	aqomekyw.bazar
265	iqemekyw.bazar
403	huomuhed.bazar
468	ypudekyw.bazar
596	tusouhed.bazar
846	tyqeekem.bazar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3924 set thread context of 1872	3924	regsvr32.exe	71

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3924	regsvr32.exe
3924	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71
PID 3924 wrote to memory of 1872	3924	regsvr32.exe	71

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3032
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\main.php.dll
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  PID:1872

C:\Windows\system32\regsvr32.exe
regsvr32 /s "C:\Users\Admin\AppData\Local\Temp\main.php.dll"
1⤵
PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-116-0x00000000020D0000-0x00000000022E0000-memory.dmp

Filesize
2.1MB

Download
memory/3924-115-0x0000000002590000-0x00000000027A0000-memory.dmp

Filesize
2.1MB

Download