Malware Analysis Report

2025-06-16 05:30

Sample ID 211130-daagtsgeb3
Target package.zip
SHA256 5a36930f80cbf9c391eaeace63f0c12d882e27e27f73cb98a1c957ece4365b3d
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a36930f80cbf9c391eaeace63f0c12d882e27e27f73cb98a1c957ece4365b3d

Threat Level: Known bad

The file package.zip was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Blocklisted process makes network request

Tries to connect to .bazar domain

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2021-11-30 02:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-11-30 02:47

Reported

2021-11-30 02:55

Platform

win7-en-20211014

Max time kernel

397s

Max time network

406s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A reddew28c.bazar N/A N/A
N/A bluehail.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 752 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 752 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe grandpa.mpeg,gigi

Network

Country Destination Domain Proto
US 162.33.178.147:443 tcp
US 162.33.178.147:443 tcp
US 45.61.136.128:443 tcp
US 45.61.136.128:443 tcp
US 162.33.179.53:443 tcp
US 162.33.179.53:443 tcp
US 162.33.177.88:443 tcp
US 162.33.177.88:443 tcp
DE 130.61.64.122:53 reddew28c.bazar udp
DE 130.61.64.122:53 bluehail.bazar udp
DE 130.61.64.122:53 whitestorm9p.bazar udp
US 162.33.178.147:443 tcp
US 162.33.178.147:443 tcp
US 45.61.136.128:443 tcp

Files

memory/524-55-0x0000000000000000-mapping.dmp

memory/524-56-0x00000000003B0000-0x00000000003DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-11-30 02:47

Reported

2021-11-30 02:55

Platform

win10-en-20211104

Max time kernel

402s

Max time network

405s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A reddew28c.bazar N/A N/A
N/A bluehail.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A
N/A ysylxyvu.bazar N/A N/A
N/A bluehail.bazar N/A N/A
N/A reddew28c.bazar N/A N/A
N/A bluehail.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A
N/A ikqoxyiz.bazar N/A N/A
N/A yqudekpi.bazar N/A N/A
N/A reddew28c.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1012 wrote to memory of 492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 1012 wrote to memory of 492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"

C:\Windows\system32\rundll32.exe

rundll32.exe grandpa.mpeg,gigi

Network

Country Destination Domain Proto
US 52.109.8.20:443 tcp
US 8.8.8.8:53 time.windows.com udp
US 168.61.215.74:123 time.windows.com udp
US 162.33.178.147:443 tcp
US 45.61.136.128:443 tcp
US 162.33.179.53:443 tcp
US 162.33.177.88:443 tcp
DE 130.61.64.122:53 reddew28c.bazar udp
DE 130.61.64.122:53 bluehail.bazar udp
DE 130.61.64.122:53 whitestorm9p.bazar udp
US 162.33.178.147:443 tcp
US 45.61.136.128:443 tcp
US 162.33.179.53:443 tcp
US 162.33.177.88:443 tcp
DE 130.61.64.122:53 reddew28c.bazar udp
DE 130.61.64.122:53 bluehail.bazar udp
DE 130.61.64.122:53 whitestorm9p.bazar udp
US 162.33.178.147:443 tcp
US 45.61.136.128:443 tcp
US 162.33.179.53:443 tcp
US 162.33.177.88:443 tcp
DE 130.61.64.122:53 reddew28c.bazar udp
DE 130.61.64.122:53 bluehail.bazar udp
DE 130.61.64.122:53 whitestorm9p.bazar udp
DE 130.61.64.122:53 ikqoxyiz.bazar udp
US 162.33.177.194:443 tcp
DE 130.61.64.122:53 yqudekpi.bazar udp
US 162.33.177.194:443 tcp
DE 130.61.64.122:53 ysylxyvu.bazar udp
US 162.33.177.194:443 tcp

Files

memory/492-118-0x0000000000000000-mapping.dmp

memory/492-119-0x000001D0FA4F0000-0x000001D0FA51E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2021-11-30 02:47

Reported

2021-11-30 02:54

Platform

win7-en-20211014

Max time kernel

361s

Max time network

361s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\grandpa.mpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\grandpa.mpeg.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2021-11-30 02:47

Reported

2021-11-30 02:54

Platform

win10-en-20211104

Max time kernel

120s

Max time network

362s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\grandpa.mpeg.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\grandpa.mpeg.dll,#1

Network

Country Destination Domain Proto
IE 52.109.76.32:443 tcp
US 8.8.8.8:53 time.windows.com udp
US 168.61.215.74:123 time.windows.com udp

Files

N/A