bazarloader | a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

General

Target

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
Size

603KB
MD5

dac91ccf0929071e9db5b75be0f6a3a6
SHA1

466b804c1c95145f7a5d06cee956610c16951372
SHA256

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512

ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1504-55-0x0000000001BC0000-0x0000000001BFD000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1504-59-0x0000000001E60000-0x0000000001E9A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1504-63-0x0000000001B80000-0x0000000001BBB000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1120-72-0x0000000002070000-0x00000000020AA000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1576-87-0x0000000001D50000-0x0000000001D8A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1908-101-0x0000000001F20000-0x0000000001F5A000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

Y4ND5C6.exeY4ND5C6.exe

pid process

1576 Y4ND5C6.exe
1908 Y4ND5C6.exe

pid	process
1576	Y4ND5C6.exe
1908	Y4ND5C6.exe

Tries to connect to .bazar domain 13 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
40	dcegjldlggjp.bazar
41	dcegjldlggjp.bazar
44	dcegjldlggjp.bazar
45	dcegjldlggjp.bazar
47	dcegjldlggjp.bazar
49	dcegjldlggjp.bazar
51	dcegjldlggjp.bazar
55	bdegjkbmggjo.bazar
42	dcegjldlggjp.bazar
43	dcegjldlggjp.bazar
46	dcegjldlggjp.bazar
48	dcegjldlggjp.bazar
50	dcegjldlggjp.bazar

Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

1076 cmd.exe
1580 cmd.exe

pid	process
1076	cmd.exe
1580	cmd.exe

Unexpected DNS network traffic destination 43 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	142.4.205.47
Destination IP	172.104.136.243
Destination IP	208.67.222.222
Destination IP	5.135.183.146
Destination IP	89.35.39.64
Destination IP	162.248.241.94
Destination IP	163.172.185.51
Destination IP	185.121.177.177
Destination IP	142.4.204.111
Destination IP	208.67.220.220
Destination IP	142.4.204.111
Destination IP	176.126.70.119
Destination IP	192.99.85.244
Destination IP	185.121.177.177
Destination IP	169.239.202.202
Destination IP	5.45.97.127
Destination IP	208.67.220.220
Destination IP	139.59.23.241
Destination IP	69.164.196.21
Destination IP	185.121.177.177
Destination IP	163.172.185.51
Destination IP	63.231.92.27
Destination IP	142.4.205.47
Destination IP	208.67.222.222
Destination IP	51.255.211.146
Destination IP	35.196.105.24
Destination IP	5.45.97.127
Destination IP	192.99.85.244
Destination IP	5.135.183.146
Destination IP	147.135.185.78
Destination IP	217.12.210.54
Destination IP	167.99.153.82
Destination IP	82.141.39.32
Destination IP	169.239.202.202
Destination IP	77.73.68.161
Destination IP	96.47.228.108
Destination IP	82.141.39.32
Destination IP	172.104.136.243
Destination IP	45.63.124.65
Destination IP	185.164.136.225
Destination IP	45.32.160.206
Destination IP	94.177.171.127
Destination IP	172.98.193.42

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Y4ND5C6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Q55TVRST = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v KWJN12LPGEZ /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Y4ND5C6.exe\\\" UP2ANP\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\Y4ND5C6.exe\" UP2ANP"	Y4ND5C6.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1548 PING.EXE
700 PING.EXE
1832 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe

pid process

1504 a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe

pid	process
1548	PING.EXE
700	PING.EXE
1832	PING.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exea0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exeY4ND5C6.exeY4ND5C6.exe

pid	process
1504	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
1504	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
1120	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
1120	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
1576	Y4ND5C6.exe
1576	Y4ND5C6.exe
1908	Y4ND5C6.exe
1908	Y4ND5C6.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.execmd.exea0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.execmd.exeY4ND5C6.execmd.exe

description	pid	process	target process
PID 1504 wrote to memory of 1244	1504	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1504 wrote to memory of 1244	1504	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1504 wrote to memory of 1244	1504	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1244 wrote to memory of 1548	1244	cmd.exe	PING.EXE
PID 1244 wrote to memory of 1548	1244	cmd.exe	PING.EXE
PID 1244 wrote to memory of 1548	1244	cmd.exe	PING.EXE
PID 1244 wrote to memory of 1120	1244	cmd.exe	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
PID 1244 wrote to memory of 1120	1244	cmd.exe	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
PID 1244 wrote to memory of 1120	1244	cmd.exe	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
PID 1120 wrote to memory of 1076	1120	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1120 wrote to memory of 1076	1120	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1120 wrote to memory of 1076	1120	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1076 wrote to memory of 700	1076	cmd.exe	PING.EXE
PID 1076 wrote to memory of 700	1076	cmd.exe	PING.EXE
PID 1076 wrote to memory of 700	1076	cmd.exe	PING.EXE
PID 1076 wrote to memory of 1576	1076	cmd.exe	Y4ND5C6.exe
PID 1076 wrote to memory of 1576	1076	cmd.exe	Y4ND5C6.exe
PID 1076 wrote to memory of 1576	1076	cmd.exe	Y4ND5C6.exe
PID 1576 wrote to memory of 1580	1576	Y4ND5C6.exe	cmd.exe
PID 1576 wrote to memory of 1580	1576	Y4ND5C6.exe	cmd.exe
PID 1576 wrote to memory of 1580	1576	Y4ND5C6.exe	cmd.exe
PID 1580 wrote to memory of 1832	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 1832	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 1832	1580	cmd.exe	PING.EXE
PID 1580 wrote to memory of 1908	1580	cmd.exe	Y4ND5C6.exe
PID 1580 wrote to memory of 1908	1580	cmd.exe	Y4ND5C6.exe
PID 1580 wrote to memory of 1908	1580	cmd.exe	Y4ND5C6.exe

C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
"C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe WZH9
2⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:1548

C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe WZH9
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe Y6J62
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:700

C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe Y6J62
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe UP2ANP
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:1832

C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe UP2ANP
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
\Users\Admin\AppData\Local\Temp\Y4ND5C6.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
memory/700-77-0x0000000000000000-mapping.dmp

Download
memory/1076-76-0x0000000000000000-mapping.dmp

Download
memory/1120-66-0x0000000000000000-mapping.dmp

Download
memory/1120-72-0x0000000002070000-0x00000000020AA000-memory.dmp

Filesize
232KB

Download
memory/1244-64-0x0000000000000000-mapping.dmp

Download
memory/1504-54-0x000007FEFB901000-0x000007FEFB903000-memory.dmp

Filesize
8KB

Download
memory/1504-63-0x0000000001B80000-0x0000000001BBB000-memory.dmp

Filesize
236KB

Download
memory/1504-59-0x0000000001E60000-0x0000000001E9A000-memory.dmp

Filesize
232KB

Download
memory/1504-55-0x0000000001BC0000-0x0000000001BFD000-memory.dmp

Filesize
244KB

Download
memory/1548-65-0x0000000000000000-mapping.dmp

Download
memory/1576-87-0x0000000001D50000-0x0000000001D8A000-memory.dmp

Filesize
232KB

Download
memory/1576-79-0x0000000000000000-mapping.dmp

Download
memory/1580-91-0x0000000000000000-mapping.dmp

Download
memory/1832-92-0x0000000000000000-mapping.dmp

Download
memory/1908-94-0x0000000000000000-mapping.dmp

Download
memory/1908-101-0x0000000001F20000-0x0000000001F5A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads