bazarloader | f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb

General

Target

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
Size

1.0MB
MD5

4f0ff6002a6883636aace79606463b35
SHA1

54b8a004d96418010e2721fbe8bb156464b7da0f
SHA256

f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb
SHA512

5e77ecb9fbd0264f02065f84b446284249e61ca941f46de5152fc15552691a587edf04617aa1f3e673fcaeb86d4f26658de16c88a4f2f3949dbf5b7a9a8056e9

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

18.188.232.155

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000500000001aba0-124.dat	BazarLoaderVar1
behavioral2/files/0x000500000001aba0-125.dat	BazarLoaderVar1
behavioral2/files/0x000500000001aba0-129.dat	BazarLoaderVar1

Executes dropped EXE 2 IoCs

pid	Process
592	IZVA66D.exe
2884	IZVA66D.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	IZVA66D.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\GNGCEO31QU = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v OYKWU9Y6A /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\IZVA66D.exe\\\" I3BV\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IZVA66D.exe\" I3BV"	IZVA66D.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1364	PING.EXE
3108	PING.EXE
3008	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3736	2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	68
PID 2412 wrote to memory of 3736	2412	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	68
PID 3736 wrote to memory of 1364	3736	cmd.exe	70
PID 3736 wrote to memory of 1364	3736	cmd.exe	70
PID 3736 wrote to memory of 868	3736	cmd.exe	71
PID 3736 wrote to memory of 868	3736	cmd.exe	71
PID 868 wrote to memory of 2012	868	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	72
PID 868 wrote to memory of 2012	868	f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe	72
PID 2012 wrote to memory of 3108	2012	cmd.exe	74
PID 2012 wrote to memory of 3108	2012	cmd.exe	74
PID 2012 wrote to memory of 592	2012	cmd.exe	75
PID 2012 wrote to memory of 592	2012	cmd.exe	75
PID 592 wrote to memory of 3432	592	IZVA66D.exe	76
PID 592 wrote to memory of 3432	592	IZVA66D.exe	76
PID 3432 wrote to memory of 3008	3432	cmd.exe	78
PID 3432 wrote to memory of 3008	3432	cmd.exe	78
PID 3432 wrote to memory of 2884	3432	cmd.exe	79
PID 3432 wrote to memory of 2884	3432	cmd.exe	79

C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
"C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe WBH9MI
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\system32\PING.EXE
    ping 8.8.8.8 -n 2
    3⤵
    - Runs ping.exe
    PID:1364
- - C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe
    C:\Users\Admin\AppData\Local\Temp\f18c2a8922bbe7b8f12980a46cc3548e9a0903a7294206eeb2d01f7923cdb8eb.exe WBH9MI
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe W4X7FLF
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        5⤵
        Runs ping.exe
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe
        
        C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe W4X7FLF
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:592
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe I3BV
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\system32\PING.EXE
        
        ping 8.8.8.8 -n 2
        7⤵
        Runs ping.exe
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe
        
        C:\Users\Admin\AppData\Local\Temp\IZVA66D.exe I3BV
        7⤵
        Executes dropped EXE
        
        PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads