bazarloader | f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

General

Target

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
Size

1.0MB
MD5

4f0ff6002a6883636aace79606463b35
SHA1

54b8a004d96418010e2721fbe8bb156464b7da0f
SHA256

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb
SHA512

5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

18.188.232.155

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1
\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1
\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1
\Users\Admin\AppData\Local\Temp\SMWBD08.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

SMWBD08.exeSMWBD08.exe

pid process

972 SMWBD08.exe
1664 SMWBD08.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

1428 cmd.exe
1428 cmd.exe
964 cmd.exe
964 cmd.exe

pid	process
972	SMWBD08.exe
1664	SMWBD08.exe

pid	process
1428	cmd.exe
1428	cmd.exe
964	cmd.exe
964	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

SMWBD08.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\FFMQN9YDJTU = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v BJOLJHRA /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SMWBD08.exe\\\" PVJR8\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\SMWBD08.exe\" PVJR8"	SMWBD08.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

636 PING.EXE
1112 PING.EXE
824 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

pid process

592 f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

pid	process
636	PING.EXE
1112	PING.EXE
824	PING.EXE

pid	process
592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.execmd.exef18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.execmd.exeSMWBD08.execmd.exe

description	pid	process	target process
PID 592 wrote to memory of 588	592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 592 wrote to memory of 588	592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 592 wrote to memory of 588	592	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 588 wrote to memory of 636	588	cmd.exe	PING.EXE
PID 588 wrote to memory of 636	588	cmd.exe	PING.EXE
PID 588 wrote to memory of 636	588	cmd.exe	PING.EXE
PID 588 wrote to memory of 2020	588	cmd.exe	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
PID 588 wrote to memory of 2020	588	cmd.exe	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
PID 588 wrote to memory of 2020	588	cmd.exe	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
PID 2020 wrote to memory of 1428	2020	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 2020 wrote to memory of 1428	2020	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 2020 wrote to memory of 1428	2020	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	cmd.exe
PID 1428 wrote to memory of 1112	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 1112	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 1112	1428	cmd.exe	PING.EXE
PID 1428 wrote to memory of 972	1428	cmd.exe	SMWBD08.exe
PID 1428 wrote to memory of 972	1428	cmd.exe	SMWBD08.exe
PID 1428 wrote to memory of 972	1428	cmd.exe	SMWBD08.exe
PID 972 wrote to memory of 964	972	SMWBD08.exe	cmd.exe
PID 972 wrote to memory of 964	972	SMWBD08.exe	cmd.exe
PID 972 wrote to memory of 964	972	SMWBD08.exe	cmd.exe
PID 964 wrote to memory of 824	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 824	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 824	964	cmd.exe	PING.EXE
PID 964 wrote to memory of 1664	964	cmd.exe	SMWBD08.exe
PID 964 wrote to memory of 1664	964	cmd.exe	SMWBD08.exe
PID 964 wrote to memory of 1664	964	cmd.exe	SMWBD08.exe

C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
"C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe SBF9WR3
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:636

C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe SBF9WR3
3⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe ZYMR1U
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:1112

C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe ZYMR1U
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe PVJR8
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:824

C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe PVJR8
7⤵
- Executes dropped EXE
PID:1664

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
\Users\Admin\AppData\Local\Temp\SMWBD08.exe
MD5
4f0ff6002a6883636aace79606463b35

SHA1
54b8a004d96418010e2721fbe8bb156464b7da0f

SHA256
f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

SHA512
5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Download Submit
memory/588-55-0x0000000000000000-mapping.dmp

Download
memory/636-56-0x0000000000000000-mapping.dmp

Download
memory/824-66-0x0000000000000000-mapping.dmp

Download
memory/964-65-0x0000000000000000-mapping.dmp

Download
memory/972-63-0x0000000000000000-mapping.dmp

Download
memory/1112-59-0x0000000000000000-mapping.dmp

Download
memory/1428-58-0x0000000000000000-mapping.dmp

Download
memory/1664-69-0x0000000000000000-mapping.dmp

Download
memory/2020-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads