bazarloader | 2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8 | Triage

Submit
Reports

Overview

overview

Static

static

9

2775f0156a...f8.exe

windows7_x64

2775f0156a...f8.exe

windows10-2004_x64

Sharing

General

Target

2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8
Size

136KB
Sample

220220-k4twwsbhgr
MD5

b9e7cdd63db7ff765efeaabd0a85ca59
SHA1

7e300cb3e4dc52eaff8dc082c687442df84194c7
SHA256

2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8
SHA512

800e61e0ca304d84a8da9ffd056ccec3c255c8e731f8f5d08f95b70aee65fbace7b6dff9faa0fc6ee0721da8f08cc91ecf14793ef150143dee68dff492bbcacf

Score

10^/10

bazarloader cryptone dropper loader packer persistence

Static task

static1

cryptone packer

Behavioral task

behavioral1

Sample

2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8.exe

Resource

win7-en-20211208

bazarloader cryptone dropper loader packer persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8.exe

Resource

win10v2004-en-20220113

bazarloader cryptone dropper loader packer persistence

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8
- Size
  
  136KB
- MD5
  
  b9e7cdd63db7ff765efeaabd0a85ca59
- SHA1
  
  7e300cb3e4dc52eaff8dc082c687442df84194c7
- SHA256
  
  2775f0156a394e76f16441e1a91c877323ef92d731370c87bbafb1481843b8f8
- SHA512
  
  800e61e0ca304d84a8da9ffd056ccec3c255c8e731f8f5d08f95b70aee65fbace7b6dff9faa0fc6ee0721da8f08cc91ecf14793ef150143dee68dff492bbcacf
Score

10^/10

bazarloader cryptone dropper loader packer persistence
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Bazar/Team9 Loader payload
- CryptOne packer
  Detects CryptOne packer defined in NCC blogpost.
  cryptone packer
- Executes dropped EXE
- Tries to connect to .bazar domain
  Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarloadercryptonedropperloaderpackerpersistence

behavioral2

bazarloadercryptonedropperloaderpackerpersistence

© 2018-2024

Terms | Privacy