Malware Analysis Report

2025-04-13 11:50

Sample ID 220119-tp5vaabdh3
Target 5101677762478080.zip
SHA256 487290690d5455b475497515474f45a5daf47ca8b2e8d64155f79f7fad0bb3a8
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

487290690d5455b475497515474f45a5daf47ca8b2e8d64155f79f7fad0bb3a8

Threat Level: Known bad

The file 5101677762478080.zip was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-01-19 16:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-01-19 16:14

Reported

2022-01-19 16:17

Platform

win7-en-20211208

Max time kernel

122s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1600 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1600 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 320 wrote to memory of 652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 320 wrote to memory of 652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 320 wrote to memory of 652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 320 wrote to memory of 472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\rundll32.exe
PID 320 wrote to memory of 472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\rundll32.exe
PID 320 wrote to memory of 472 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit

C:\Windows\system32\xcopy.exe

xcopy /y DumpStack.log c:\programdata\

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload

Network

N/A

Files

memory/1600-54-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

C:\programdata\DumpStack.log

MD5 f948fe3f01333c0326d4dd598e4945c0
SHA1 70a619d1b2acbf969b44aded654d6a9257465e2b
SHA256 f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb
SHA512 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

\ProgramData\DumpStack.log

MD5 f948fe3f01333c0326d4dd598e4945c0
SHA1 70a619d1b2acbf969b44aded654d6a9257465e2b
SHA256 f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb
SHA512 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

memory/472-57-0x0000000180000000-0x000000018003D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-01-19 16:14

Reported

2022-01-19 16:17

Platform

win10v2004-en-20220113

Max time kernel

128s

Max time network

137s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A
N/A N/A C:\Windows\System32\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2236 wrote to memory of 1908 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1908 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 1908 wrote to memory of 376 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\xcopy.exe
PID 1908 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\rundll32.exe
PID 1908 wrote to memory of 1860 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\rundll32.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Attachments.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c xcopy /y DumpStack.log c:\programdata\ && C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload && exit

C:\Windows\system32\xcopy.exe

xcopy /y DumpStack.log c:\programdata\

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\programdata\DumpStack.log,spload

Network

Country Destination Domain Proto
UA 194.38.20.11:443 194.38.20.11 tcp
BG 5.181.80.177:443 tcp
US 45.41.204.147:443 tcp
NZ 103.208.86.105:443 tcp

Files

C:\programdata\DumpStack.log

MD5 f948fe3f01333c0326d4dd598e4945c0
SHA1 70a619d1b2acbf969b44aded654d6a9257465e2b
SHA256 f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb
SHA512 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

C:\ProgramData\DumpStack.log

MD5 f948fe3f01333c0326d4dd598e4945c0
SHA1 70a619d1b2acbf969b44aded654d6a9257465e2b
SHA256 f2a957f609ec57b8cbc6035629b249edc288bca6025a1e1a7c83a8ce20f7ebdb
SHA512 9406184548f174839dc1634b13018375afd9a34305a0810fbf18f32da44d0e77f887b192ad8c570700d94383df2d2bf3f120adf09073f3378e030bda3892f651

memory/1860-472-0x0000000180000000-0x000000018003D000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-01-19 16:14

Reported

2022-01-19 16:17

Platform

win7-en-20211208

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DumpStack.log.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DumpStack.log.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2022-01-19 16:14

Reported

2022-01-19 16:17

Platform

win10v2004-en-20220113

Max time kernel

122s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DumpStack.log.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DumpStack.log.dll,#1

Network

Country Destination Domain Proto
US 93.184.220.29:80 crl4.digicert.com tcp
FR 2.22.147.98:443 tcp
FR 2.22.147.98:443 tcp
FR 2.22.147.98:443 tcp
FR 2.22.147.98:443 tcp
FR 2.22.147.98:443 tcp
FR 2.22.147.98:443 tcp
FR 2.22.147.98:443 tcp
NL 84.53.175.105:80 tcp
NL 84.53.175.105:80 tcp

Files

N/A