bazarloader | 6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

General

Target

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
Size

603KB
MD5

9a8c7ae7424367b8c24d5d70b9c1c867
SHA1

bc058fd1fc2cdc2522f2f17f980b2201951cb4ec
SHA256

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e
SHA512

3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1820-55-0x0000000001D00000-0x0000000001D3D000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1820-59-0x0000000001C80000-0x0000000001CBB000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1820-60-0x0000000001D50000-0x0000000001D8A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1056-72-0x0000000001F10000-0x0000000001F4A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/2000-87-0x0000000001FE0000-0x000000000201A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1760-101-0x0000000002020000-0x000000000205A000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

S94F3D.exeS94F3D.exe

pid process

2000 S94F3D.exe
1760 S94F3D.exe

pid	process
2000	S94F3D.exe
1760	S94F3D.exe

Tries to connect to .bazar domain 11 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
41	dcegjldlggjp.bazar
42	dcegjldlggjp.bazar
46	dcegjldlggjp.bazar
47	dcegjldlggjp.bazar
49	dcegjldlggjp.bazar
40	dcegjldlggjp.bazar
43	dcegjldlggjp.bazar
44	dcegjldlggjp.bazar
45	dcegjldlggjp.bazar
48	dcegjldlggjp.bazar
50	dcegjldlggjp.bazar

Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

828 cmd.exe
1996 cmd.exe

pid	process
828	cmd.exe
1996	cmd.exe

Unexpected DNS network traffic destination 41 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	77.73.68.161
Destination IP	35.196.105.24
Destination IP	208.67.220.220
Destination IP	82.141.39.32
Destination IP	5.45.97.127
Destination IP	172.104.136.243
Destination IP	45.63.124.65
Destination IP	142.4.205.47
Destination IP	142.4.205.47
Destination IP	185.121.177.177
Destination IP	5.135.183.146
Destination IP	94.177.171.127
Destination IP	169.239.202.202
Destination IP	163.172.185.51
Destination IP	208.67.222.222
Destination IP	147.135.185.78
Destination IP	217.12.210.54
Destination IP	185.164.136.225
Destination IP	96.47.228.108
Destination IP	45.32.160.206
Destination IP	69.164.196.21
Destination IP	163.172.185.51
Destination IP	139.59.23.241
Destination IP	142.4.204.111
Destination IP	51.255.211.146
Destination IP	172.98.193.42
Destination IP	167.99.153.82
Destination IP	5.45.97.127
Destination IP	172.104.136.243
Destination IP	82.141.39.32
Destination IP	208.67.220.220
Destination IP	176.126.70.119
Destination IP	63.231.92.27
Destination IP	208.67.222.222
Destination IP	192.99.85.244
Destination IP	185.121.177.177
Destination IP	169.239.202.202
Destination IP	192.99.85.244
Destination IP	89.35.39.64
Destination IP	162.248.241.94
Destination IP	142.4.204.111

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

S94F3D.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\VL1D9FKSKJX = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v PFBK51BE /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\S94F3D.exe\\\" Z7XT1\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\S94F3D.exe\" Z7XT1"	S94F3D.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1200 PING.EXE
1560 PING.EXE
808 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe

pid process

1820 6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe

pid	process
1200	PING.EXE
1560	PING.EXE
808	PING.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exeS94F3D.exeS94F3D.exe

pid	process
1820	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
1820	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
1056	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
1056	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
2000	S94F3D.exe
2000	S94F3D.exe
1760	S94F3D.exe
1760	S94F3D.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.execmd.exe6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.execmd.exeS94F3D.execmd.exe

description	pid	process	target process
PID 1820 wrote to memory of 1236	1820	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 1820 wrote to memory of 1236	1820	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 1820 wrote to memory of 1236	1820	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 1236 wrote to memory of 1200	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1200	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1200	1236	cmd.exe	PING.EXE
PID 1236 wrote to memory of 1056	1236	cmd.exe	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
PID 1236 wrote to memory of 1056	1236	cmd.exe	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
PID 1236 wrote to memory of 1056	1236	cmd.exe	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
PID 1056 wrote to memory of 828	1056	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 1056 wrote to memory of 828	1056	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 1056 wrote to memory of 828	1056	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 828 wrote to memory of 1560	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1560	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 1560	828	cmd.exe	PING.EXE
PID 828 wrote to memory of 2000	828	cmd.exe	S94F3D.exe
PID 828 wrote to memory of 2000	828	cmd.exe	S94F3D.exe
PID 828 wrote to memory of 2000	828	cmd.exe	S94F3D.exe
PID 2000 wrote to memory of 1996	2000	S94F3D.exe	cmd.exe
PID 2000 wrote to memory of 1996	2000	S94F3D.exe	cmd.exe
PID 2000 wrote to memory of 1996	2000	S94F3D.exe	cmd.exe
PID 1996 wrote to memory of 808	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 808	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 808	1996	cmd.exe	PING.EXE
PID 1996 wrote to memory of 1760	1996	cmd.exe	S94F3D.exe
PID 1996 wrote to memory of 1760	1996	cmd.exe	S94F3D.exe
PID 1996 wrote to memory of 1760	1996	cmd.exe	S94F3D.exe

C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
"C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe L33THB2
2⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:1200

C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe L33THB2
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\S94F3D.exe B2BHFY
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:1560

C:\Users\Admin\AppData\Local\Temp\S94F3D.exe
C:\Users\Admin\AppData\Local\Temp\S94F3D.exe B2BHFY
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\S94F3D.exe Z7XT1
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:808

C:\Users\Admin\AppData\Local\Temp\S94F3D.exe
C:\Users\Admin\AppData\Local\Temp\S94F3D.exe Z7XT1
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\S94F3D.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\S94F3D.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\S94F3D.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
\Users\Admin\AppData\Local\Temp\S94F3D.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
\Users\Admin\AppData\Local\Temp\S94F3D.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
memory/808-92-0x0000000000000000-mapping.dmp

Download
memory/828-76-0x0000000000000000-mapping.dmp

Download
memory/1056-66-0x0000000000000000-mapping.dmp

Download
memory/1056-72-0x0000000001F10000-0x0000000001F4A000-memory.dmp

Filesize
232KB

Download
memory/1200-65-0x0000000000000000-mapping.dmp

Download
memory/1236-64-0x0000000000000000-mapping.dmp

Download
memory/1560-77-0x0000000000000000-mapping.dmp

Download
memory/1760-94-0x0000000000000000-mapping.dmp

Download
memory/1760-101-0x0000000002020000-0x000000000205A000-memory.dmp

Filesize
232KB

Download
memory/1820-54-0x000007FEFC2D1000-0x000007FEFC2D3000-memory.dmp

Filesize
8KB

Download
memory/1820-60-0x0000000001D50000-0x0000000001D8A000-memory.dmp

Filesize
232KB

Download
memory/1820-59-0x0000000001C80000-0x0000000001CBB000-memory.dmp

Filesize
236KB

Download
memory/1820-55-0x0000000001D00000-0x0000000001D3D000-memory.dmp

Filesize
244KB

Download
memory/1996-91-0x0000000000000000-mapping.dmp

Download
memory/2000-79-0x0000000000000000-mapping.dmp

Download
memory/2000-87-0x0000000001FE0000-0x000000000201A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads