bazarloader | 716f2ae73525362939d52104e809ea9da5e031f9d31f0b53d8de77df989c8b85

Resubmissions

01-02-2022 01:10

220201-bjlkcafba8 10

01-02-2022 00:22

220201-anxmqsefa6 10

Analysis

max time kernel
1786s
max time network
1790s
platform
windows10-2004_x64
resource
win10v2004-en-20220112
submitted
01-02-2022 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

picture.dll
Size

308KB
MD5

21c62adba10a2f518357106947a3410c
SHA1

607df191b24b5bc402bf4b37272c855c8ebb9dff
SHA256

716f2ae73525362939d52104e809ea9da5e031f9d31f0b53d8de77df989c8b85
SHA512

049c14038e81afa17759a27456207a39f18c08b2a65a56d786dcb458ae9544b1f061f408b07c1d614ddb9baf0fa0c20115e822095446c208016b9dfef243bdde

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral1/memory/3096-130-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5
behavioral1/memory/3096-135-0x0000000180000000-0x000000018003D000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 64 IoCs

flow	pid	Process
54	3096	rundll32.exe
56	3096	rundll32.exe
60	3096	rundll32.exe
61	3096	rundll32.exe
66	3096	rundll32.exe
67	3096	rundll32.exe
68	3096	rundll32.exe
69	3096	rundll32.exe
70	3096	rundll32.exe
71	3096	rundll32.exe
72	3096	rundll32.exe
73	3096	rundll32.exe
74	3096	rundll32.exe
76	3096	rundll32.exe
77	3096	rundll32.exe
78	3096	rundll32.exe
79	3096	rundll32.exe
80	3096	rundll32.exe
81	3096	rundll32.exe
82	3096	rundll32.exe
83	3096	rundll32.exe
84	3096	rundll32.exe
85	3096	rundll32.exe
86	3096	rundll32.exe
87	3096	rundll32.exe
88	3096	rundll32.exe
89	3096	rundll32.exe
90	3096	rundll32.exe
91	3096	rundll32.exe
92	3096	rundll32.exe
93	3096	rundll32.exe
94	3096	rundll32.exe
95	3096	rundll32.exe
96	3096	rundll32.exe
97	3096	rundll32.exe
98	3096	rundll32.exe
99	3096	rundll32.exe
100	3096	rundll32.exe
101	3096	rundll32.exe
102	3096	rundll32.exe
103	3096	rundll32.exe
104	3096	rundll32.exe
105	3096	rundll32.exe
106	3096	rundll32.exe
107	3096	rundll32.exe
108	3096	rundll32.exe
109	3096	rundll32.exe
110	3096	rundll32.exe
111	3096	rundll32.exe
112	3096	rundll32.exe
113	3096	rundll32.exe
114	3096	rundll32.exe
115	3096	rundll32.exe
116	3096	rundll32.exe
117	3096	rundll32.exe
118	3096	rundll32.exe
119	3096	rundll32.exe
120	3096	rundll32.exe
121	3096	rundll32.exe
122	3096	rundll32.exe
123	3096	rundll32.exe
124	3096	rundll32.exe
125	3096	rundll32.exe
126	3096	rundll32.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

flow	ioc
798	ifkoxyxy.bazar
1203	usbexyif.bazar
1353	nobuifus.bazar
1698	deicekek.bazar
1290	alhoekif.bazar
500	kahousek.bazar
676	oqbeifxy.bazar
726	ytfyxyus.bazar
779	kaehifus.bazar
1001	vufyusif.bazar
1089	kaynusxy.bazar
1229	oquvusek.bazar
1241	oquvusek.bazar
841	xyefifxy.bazar
882	usboekxy.bazar
155	deuqekif.bazar
516	xyogusus.bazar
1507	ubuvusif.bazar
1635	ekefxyus.bazar
1183	ibniifxy.bazar
1692	deicekek.bazar
254	usbuekek.bazar
980	xegoifek.bazar
1235	oquvusek.bazar
1392	zuebekus.bazar
1429	izicusus.bazar
240	izkoifus.bazar
534	dekoxyek.bazar
1676	nosyusxy.bazar
485	ifuqekus.bazar
1566	alehusek.bazar
1787	ibgoxyek.bazar
999	vufyusif.bazar
1134	desyxyxy.bazar
157	deuqekif.bazar
207	xyehifek.bazar
1422	deboifif.bazar
1426	izicusus.bazar
1629	zeynekxy.bazar
94	piynxyek.bazar
613	ubboekek.bazar
698	zeuvxyif.bazar
1373	kaefxyif.bazar
1613	ytbuxyek.bazar
1816	ofuqxyus.bazar
672	oqbeifxy.bazar
1418	deboifif.bazar
1520	pigoifus.bazar
1638	ekefxyus.bazar
376	xeniekxy.bazar
1003	vufyusif.bazar
1596	vukousus.bazar
1231	oquvusek.bazar
1551	oqhoekus.bazar
1299	zeehxyus.bazar
449	ytgoekek.bazar
501	zuehifxy.bazar
558	xyynxyus.bazar
857	ibebusus.bazar
896	ubicxyus.bazar
1090	kaynusxy.bazar
826	zuynusif.bazar
844	xyefifxy.bazar
874	izsyxyif.bazar

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\picture.dll,#1
1⤵
- Blocklisted process makes network request
PID:3096

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe c1819e5a1fdcd257483cf4f5d0133d43 YQrEdCFXz06ODjFLt2s8rg.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:1392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:3064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wsappx -p
1⤵
PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3096-130-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download
memory/3096-135-0x0000000180000000-0x000000018003D000-memory.dmp

Filesize
244KB

Download