bazarloader | 716f2ae73525362939d52104e809ea9da5e031f9d31f0b53d8de77df989c8b85 | Triage

Resubmissions

01-02-2022 01:10

220201-bjlkcafba8 10

01-02-2022 00:22

220201-anxmqsefa6 10

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 00:22

Sharing

Report Analysis Logs

General

Target

picture.dll
Size

308KB
MD5

21c62adba10a2f518357106947a3410c
SHA1

607df191b24b5bc402bf4b37272c855c8ebb9dff
SHA256

716f2ae73525362939d52104e809ea9da5e031f9d31f0b53d8de77df989c8b85
SHA512

049c14038e81afa17759a27456207a39f18c08b2a65a56d786dcb458ae9544b1f061f408b07c1d614ddb9baf0fa0c20115e822095446c208016b9dfef243bdde

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1368-55-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5
behavioral1/memory/1368-60-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

4 1368 rundll32.exe
5 1368 rundll32.exe
6 1368 rundll32.exe
7 1368 rundll32.exe
8 1368 rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\picture.dll,#1
1⤵
- Blocklisted process makes network request
PID:1368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1368-55-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download
memory/1368-60-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download