bazarloader | a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

General

Target

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
Size

603KB
MD5

dac91ccf0929071e9db5b75be0f6a3a6
SHA1

466b804c1c95145f7a5d06cee956610c16951372
SHA256

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266
SHA512

ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4152-134-0x0000000002150000-0x000000000218D000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4152-138-0x00000000021C0000-0x00000000021FA000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4152-142-0x0000000002110000-0x000000000214B000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4664-150-0x00000000022E0000-0x000000000231A000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

ZCQCC56.exeZCQCC56.exe

pid process

4964 ZCQCC56.exe
4324 ZCQCC56.exe
Tries to connect to .bazar domain 1 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

386 dcegjldlggjp.bazar

pid	process
4964	ZCQCC56.exe
4324	ZCQCC56.exe

flow	ioc
386	dcegjldlggjp.bazar

Unexpected DNS network traffic destination 31 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.121.177.177
Destination IP	185.121.177.177
Destination IP	35.196.105.24
Destination IP	217.12.210.54
Destination IP	169.239.202.202
Destination IP	5.45.97.127
Destination IP	69.164.196.21
Destination IP	208.67.222.222
Destination IP	172.98.193.42
Destination IP	163.172.185.51
Destination IP	176.126.70.119
Destination IP	172.104.136.243
Destination IP	5.135.183.146
Destination IP	139.59.23.241
Destination IP	147.135.185.78
Destination IP	167.99.153.82
Destination IP	192.99.85.244
Destination IP	208.67.220.220
Destination IP	82.141.39.32
Destination IP	142.4.204.111
Destination IP	96.47.228.108
Destination IP	45.32.160.206
Destination IP	94.177.171.127
Destination IP	162.248.241.94
Destination IP	89.35.39.64
Destination IP	77.73.68.161
Destination IP	63.231.92.27
Destination IP	45.63.124.65
Destination IP	51.255.211.146
Destination IP	142.4.205.47
Destination IP	185.164.136.225

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ZCQCC56.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\D0MLXHT90 = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v BDQYY4BK3Q /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCQCC56.exe\\\" XAJP2NN\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCQCC56.exe\" XAJP2NN"	ZCQCC56.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4204 PING.EXE
556 PING.EXE
2964 PING.EXE

pid	process
4204	PING.EXE
556	PING.EXE
2964	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe

pid	process
4152	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
4152	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exea0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exeZCQCC56.exeZCQCC56.exe

pid	process
4152	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
4152	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
4664	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
4664	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
4964	ZCQCC56.exe
4964	ZCQCC56.exe
4324	ZCQCC56.exe
4324	ZCQCC56.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.execmd.exea0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.execmd.exeZCQCC56.execmd.exe

description	pid	process	target process
PID 4152 wrote to memory of 4488	4152	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 4152 wrote to memory of 4488	4152	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 4488 wrote to memory of 4204	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4204	4488	cmd.exe	PING.EXE
PID 4488 wrote to memory of 4664	4488	cmd.exe	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
PID 4488 wrote to memory of 4664	4488	cmd.exe	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
PID 4664 wrote to memory of 1988	4664	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 4664 wrote to memory of 1988	4664	a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe	cmd.exe
PID 1988 wrote to memory of 556	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 556	1988	cmd.exe	PING.EXE
PID 1988 wrote to memory of 4964	1988	cmd.exe	ZCQCC56.exe
PID 1988 wrote to memory of 4964	1988	cmd.exe	ZCQCC56.exe
PID 4964 wrote to memory of 5104	4964	ZCQCC56.exe	cmd.exe
PID 4964 wrote to memory of 5104	4964	ZCQCC56.exe	cmd.exe
PID 5104 wrote to memory of 2964	5104	cmd.exe	PING.EXE
PID 5104 wrote to memory of 2964	5104	cmd.exe	PING.EXE
PID 5104 wrote to memory of 4324	5104	cmd.exe	ZCQCC56.exe
PID 5104 wrote to memory of 4324	5104	cmd.exe	ZCQCC56.exe

C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
"C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4152

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe H5Z85
2⤵
- Suspicious use of WriteProcessMemory
PID:4488

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:4204

C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe
C:\Users\Admin\AppData\Local\Temp\a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266.exe H5Z85
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe NNIT
4⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:556

C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe
C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe NNIT
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe XAJP2NN
6⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:2964

C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe
C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe XAJP2NN
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZCQCC56.exe
Filesize
603KB

MD5
dac91ccf0929071e9db5b75be0f6a3a6

SHA1
466b804c1c95145f7a5d06cee956610c16951372

SHA256
a0e3012469e311703c367ab48c15193f9406aa4026e40ed46de966c1cbd4e266

SHA512
ac17c66d673306603d4d5c5bde77131e09fd754f4367006f85abf846303a03ac65d356ee6151afc1b696ba23d6d9446410760187ed236e01633590ac3753ea69

Download Submit
memory/556-155-0x0000000000000000-mapping.dmp

Download
memory/1988-154-0x0000000000000000-mapping.dmp

Download
memory/2964-168-0x0000000000000000-mapping.dmp

Download
memory/4152-138-0x00000000021C0000-0x00000000021FA000-memory.dmp

Filesize
232KB

Download
memory/4152-142-0x0000000002110000-0x000000000214B000-memory.dmp

Filesize
236KB

Download
memory/4152-134-0x0000000002150000-0x000000000218D000-memory.dmp

Filesize
244KB

Download
memory/4204-144-0x0000000000000000-mapping.dmp

Download
memory/4324-169-0x0000000000000000-mapping.dmp

Download
memory/4488-143-0x0000000000000000-mapping.dmp

Download
memory/4664-150-0x00000000022E0000-0x000000000231A000-memory.dmp

Filesize
232KB

Download
memory/4664-145-0x0000000000000000-mapping.dmp

Download
memory/4964-156-0x0000000000000000-mapping.dmp

Download
memory/5104-167-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads