bazarloader | 102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31 | Triage

Analysis

max time kernel
4294211s
max time network
154s
platform
windows7_x64
resource
win7-20220311-en
submitted
19-03-2022 14:35

Sharing

Report Analysis Logs

General

Target

102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31.exe
Size

285KB
MD5

e018926f81bf4599dedb4ae1696689b1
SHA1

32ccd73e3acf5ea7f78cf4f619d717d404660275
SHA256

102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31
SHA512

06b46d9fd4970b946f42d05c4f83e7a2dae66fdc21ce0243f0bb51a714dd800de5b82667fd145d10c353dc7c82c1213bda510ce9bdb5b44d825331da9a807125

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1616-55-0x0000000000260000-0x000000000027C000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1616-59-0x0000000180000000-0x000000018001A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1616-63-0x0000000000240000-0x000000000025A000-memory.dmp	BazarLoaderVar1

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
241	qeawtoto.bazar
258	toqaudel.bazar
282	qerasoud.bazar
44	onylelto.bazar
73	iboxonib.bazar
96	ekoxibso.bazar
103	ekoxibso.bazar
122	ekoxibso.bazar
288	qerasoud.bazar
208	uhcyibel.bazar
235	qeawtoto.bazar
296	qerasoud.bazar
325	ewquelib.bazar
381	tooxelud.bazar
93	iboxonib.bazar
202	uhcyibel.bazar
207	uhcyibel.bazar
259	toqaudel.bazar
329	ewquelib.bazar
368	tooxelud.bazar
191	uhcyibel.bazar
193	uhcyibel.bazar
312	ewquelib.bazar
56	onylelto.bazar
69	iboxonib.bazar
314	ewquelib.bazar
335	ewquelib.bazar
334	ewquelib.bazar
349	uhdaelso.bazar
109	ekoxibso.bazar
157	caylibso.bazar
211	uhcyibel.bazar
232	qeawtoto.bazar
323	ewquelib.bazar
247	toqaudel.bazar
253	toqaudel.bazar
55	onylelto.bazar
66	iboxonib.bazar
117	ekoxibso.bazar
143	emoxibon.bazar
213	uhcyibel.bazar
142	emoxibon.bazar
318	ewquelib.bazar
57	onylelto.bazar
59	onylelto.bazar
61	onylelto.bazar
84	iboxonib.bazar
120	ekoxibso.bazar
102	ekoxibso.bazar
105	ekoxibso.bazar
236	qeawtoto.bazar
267	toqaudel.bazar
364	uhdaelso.bazar
302	qerasoud.bazar
362	uhdaelso.bazar
116	ekoxibso.bazar
127	emoxibon.bazar
215	uhcyibel.bazar
221	qeawtoto.bazar
276	qerasoud.bazar
319	ewquelib.bazar
38	onylelto.bazar
77	iboxonib.bazar
86	iboxonib.bazar

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31.exe

pid process

1616 102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31.exe

C:\Users\Admin\AppData\Local\Temp\102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31.exe
"C:\Users\Admin\AppData\Local\Temp\102dca8d268dbbba33770459009d4d67e0d714b44523c28fce57ee83fe186a31.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-54-0x000007FEF6B71000-0x000007FEF6B73000-memory.dmp

Filesize
8KB

Download
memory/1616-55-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1616-59-0x0000000180000000-0x000000018001A000-memory.dmp

Filesize
104KB

Download
memory/1616-63-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download