bazarloader | 0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7

Analysis

max time kernel
152s
max time network
152s
platform
windows10_x64
resource
win10-en-20211014
submitted
08-12-2021 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
Size

241KB
MD5

4de86d0bc1875db66ea143fc38c110e0
SHA1

2d2ab543f8f709e624dd11fd984264b4a06d4819
SHA256

0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7
SHA512

a0b824a029959200166d00cc3162b8d457a351af45e2d5df5ef0f66753c06668c3805f01cd8b14e0e030706e047d201cac0761c38c80b00a08c7223cfad38275

Score

10^/10

bazarloader raccoon smokeloader f797145799b7b1b77b35d81de942eee0908da519 fd4f23250443a724a3d1548e6ab07c481dfc2814 backdoor dropper loader stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

fd4f23250443a724a3d1548e6ab07c481dfc2814

Attributes

url4cnc
http://91.219.236.27/duglassa1
http://94.158.245.167/duglassa1
http://185.163.204.216/duglassa1
http://185.225.19.238/duglassa1
http://185.163.204.218/duglassa1
https://t.me/duglassa1

rc4.plain

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2596-146-0x0000000001FB0000-0x0000000001FF0000-memory.dmp	BazarLoaderVar5

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

2A29.exe2A29.exeA517.exe389E.exe

pid process

3952 2A29.exe
1124 2A29.exe
808 A517.exe
3544 389E.exe
Deletes itself 1 IoCs

Processes:

pid process

3020
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2596 regsvr32.exe

pid	process
3952	2A29.exe
1124	2A29.exe
808	A517.exe
3544	389E.exe

pid	process
3020

pid	process
2596	regsvr32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe2A29.exe

description	pid	process	target process
PID 2756 set thread context of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 3952 set thread context of 1124	3952	2A29.exe	2A29.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2A29.exe0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2A29.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2A29.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2A29.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe

pid	process
3128	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
3128	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020
3020

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3020
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe2A29.exe

pid process

3128 0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
1124 2A29.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

description pid process

Token: SeShutdownPrivilege 3020
Token: SeCreatePagefilePrivilege 3020

pid	process
3020

description	pid	process
Token: SeShutdownPrivilege	3020
Token: SeCreatePagefilePrivilege	3020

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe2A29.exe

description	pid	process	target process
PID 2756 wrote to memory of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 2756 wrote to memory of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 2756 wrote to memory of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 2756 wrote to memory of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 2756 wrote to memory of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 2756 wrote to memory of 3128	2756	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe	0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
PID 3020 wrote to memory of 3952	3020		2A29.exe
PID 3020 wrote to memory of 3952	3020		2A29.exe
PID 3020 wrote to memory of 3952	3020		2A29.exe
PID 3952 wrote to memory of 1124	3952	2A29.exe	2A29.exe
PID 3952 wrote to memory of 1124	3952	2A29.exe	2A29.exe
PID 3952 wrote to memory of 1124	3952	2A29.exe	2A29.exe
PID 3952 wrote to memory of 1124	3952	2A29.exe	2A29.exe
PID 3952 wrote to memory of 1124	3952	2A29.exe	2A29.exe
PID 3952 wrote to memory of 1124	3952	2A29.exe	2A29.exe
PID 3020 wrote to memory of 808	3020		A517.exe
PID 3020 wrote to memory of 808	3020		A517.exe
PID 3020 wrote to memory of 808	3020		A517.exe
PID 3020 wrote to memory of 2596	3020		regsvr32.exe
PID 3020 wrote to memory of 2596	3020		regsvr32.exe
PID 3020 wrote to memory of 3544	3020		389E.exe
PID 3020 wrote to memory of 3544	3020		389E.exe
PID 3020 wrote to memory of 3544	3020		389E.exe

C:\Users\Admin\AppData\Local\Temp\0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
"C:\Users\Admin\AppData\Local\Temp\0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe
"C:\Users\Admin\AppData\Local\Temp\0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3128

C:\Users\Admin\AppData\Local\Temp\2A29.exe
C:\Users\Admin\AppData\Local\Temp\2A29.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3952

C:\Users\Admin\AppData\Local\Temp\2A29.exe
C:\Users\Admin\AppData\Local\Temp\2A29.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1124

C:\Users\Admin\AppData\Local\Temp\A517.exe
C:\Users\Admin\AppData\Local\Temp\A517.exe
1⤵
- Executes dropped EXE
PID:808

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1BED.dll
1⤵
- Loads dropped DLL
PID:2596

C:\Users\Admin\AppData\Local\Temp\389E.exe
C:\Users\Admin\AppData\Local\Temp\389E.exe
1⤵
- Executes dropped EXE
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1BED.dll
MD5
a49d28798147cc039e3ac341044fe612

SHA1
b950324092db34ad2940560d85f07744dd9e5b0c

SHA256
17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b

SHA512
6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A29.exe
MD5
4de86d0bc1875db66ea143fc38c110e0

SHA1
2d2ab543f8f709e624dd11fd984264b4a06d4819

SHA256
0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7

SHA512
a0b824a029959200166d00cc3162b8d457a351af45e2d5df5ef0f66753c06668c3805f01cd8b14e0e030706e047d201cac0761c38c80b00a08c7223cfad38275

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A29.exe
MD5
4de86d0bc1875db66ea143fc38c110e0

SHA1
2d2ab543f8f709e624dd11fd984264b4a06d4819

SHA256
0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7

SHA512
a0b824a029959200166d00cc3162b8d457a351af45e2d5df5ef0f66753c06668c3805f01cd8b14e0e030706e047d201cac0761c38c80b00a08c7223cfad38275

Download Submit
C:\Users\Admin\AppData\Local\Temp\2A29.exe
MD5
4de86d0bc1875db66ea143fc38c110e0

SHA1
2d2ab543f8f709e624dd11fd984264b4a06d4819

SHA256
0bba9929099245665a912ee9dbf199a49aa593e29c83e61c046ef3cf2b11dec7

SHA512
a0b824a029959200166d00cc3162b8d457a351af45e2d5df5ef0f66753c06668c3805f01cd8b14e0e030706e047d201cac0761c38c80b00a08c7223cfad38275

Download Submit
C:\Users\Admin\AppData\Local\Temp\389E.exe
MD5
82647c7fd8bfcebe57a46f009285e030

SHA1
d602af33f0bb33493b0d3530ee9369b5cfe2df0a

SHA256
eefc11d7652518188e5cec696e4e45f774acc45b4d158cba71eb5a8cfe392736

SHA512
3c956fca15a15ef0e4804f51de7aa1cd2dbd829340558378350defbb2924986c72cce4af54b126e078d09d9acbe4bb435f1160944523f8fb6dbf871cbf546fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\389E.exe
MD5
82647c7fd8bfcebe57a46f009285e030

SHA1
d602af33f0bb33493b0d3530ee9369b5cfe2df0a

SHA256
eefc11d7652518188e5cec696e4e45f774acc45b4d158cba71eb5a8cfe392736

SHA512
3c956fca15a15ef0e4804f51de7aa1cd2dbd829340558378350defbb2924986c72cce4af54b126e078d09d9acbe4bb435f1160944523f8fb6dbf871cbf546fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\A517.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\A517.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
\Users\Admin\AppData\Local\Temp\1BED.dll
MD5
a49d28798147cc039e3ac341044fe612

SHA1
b950324092db34ad2940560d85f07744dd9e5b0c

SHA256
17b8dbb794a05333446fc5eddff69ef061fea63ff3a7aeb1a7b5e1d87337584b

SHA512
6ba8410d56bd64115da7cee0afd70a5e88699fccacbb42fcbd9990575a132828ecab630bdbf2349bbb4f7db97b9900eb765781e3654af3beadb884aba565723a

Download Submit
memory/808-134-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/808-133-0x0000000002020000-0x00000000020AF000-memory.dmp

Filesize
572KB

Download
memory/808-132-0x0000000000728000-0x0000000000777000-memory.dmp

Filesize
316KB

Download
memory/808-129-0x0000000000000000-mapping.dmp

Download
memory/1124-124-0x0000000000402F47-mapping.dmp

Download
memory/2596-135-0x0000000000000000-mapping.dmp

Download
memory/2596-146-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

Filesize
256KB

Download
memory/2596-144-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download
memory/2596-145-0x0000000002440000-0x0000000002442000-memory.dmp

Filesize
8KB

Download
memory/2756-118-0x0000000002D20000-0x0000000002D29000-memory.dmp

Filesize
36KB

Download
memory/2756-117-0x0000000002B80000-0x0000000002C2E000-memory.dmp

Filesize
696KB

Download
memory/3020-128-0x0000000001FE0000-0x0000000001FF6000-memory.dmp

Filesize
88KB

Download
memory/3020-119-0x0000000000540000-0x0000000000556000-memory.dmp

Filesize
88KB

Download
memory/3128-116-0x0000000000402F47-mapping.dmp

Download
memory/3128-115-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3544-143-0x0000000000400000-0x0000000002BBC000-memory.dmp

Filesize
39.7MB

Download
memory/3544-141-0x0000000002BC0000-0x0000000002C6E000-memory.dmp

Filesize
696KB

Download
memory/3544-142-0x0000000004860000-0x00000000048EF000-memory.dmp

Filesize
572KB

Download
memory/3544-138-0x0000000000000000-mapping.dmp

Download
memory/3952-120-0x0000000000000000-mapping.dmp

Download
memory/3952-127-0x0000000002BE0000-0x0000000002D2A000-memory.dmp

Filesize
1.3MB

Download
memory/3952-126-0x0000000002BE0000-0x0000000002D2A000-memory.dmp

Filesize
1.3MB

Download