bazarloader | 6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

General

Target

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
Size

603KB
MD5

9a8c7ae7424367b8c24d5d70b9c1c867
SHA1

bc058fd1fc2cdc2522f2f17f980b2201951cb4ec
SHA256

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e
SHA512

3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2072-130-0x0000000002150000-0x000000000218D000-memory.dmp	BazarLoaderVar1
behavioral2/memory/2072-134-0x00000000023D0000-0x000000000240A000-memory.dmp	BazarLoaderVar1
behavioral2/memory/2072-138-0x0000000002110000-0x000000000214B000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4916-146-0x00000000022A0000-0x00000000022DA000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4764-159-0x00000000021B0000-0x00000000021EA000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4688-171-0x00000000022C0000-0x00000000022FA000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

HN2ACC8.exeHN2ACC8.exe

pid process

4764 HN2ACC8.exe
4688 HN2ACC8.exe
Tries to connect to .bazar domain 1 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

71 dcegjldlggjp.bazar

pid	process
4764	HN2ACC8.exe
4688	HN2ACC8.exe

flow	ioc
71	dcegjldlggjp.bazar

Unexpected DNS network traffic destination 31 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	208.67.222.222
Destination IP	77.73.68.161
Destination IP	94.177.171.127
Destination IP	185.164.136.225
Destination IP	69.164.196.21
Destination IP	147.135.185.78
Destination IP	45.32.160.206
Destination IP	172.98.193.42
Destination IP	208.67.220.220
Destination IP	162.248.241.94
Destination IP	163.172.185.51
Destination IP	35.196.105.24
Destination IP	185.121.177.177
Destination IP	142.4.204.111
Destination IP	82.141.39.32
Destination IP	169.239.202.202
Destination IP	63.231.92.27
Destination IP	176.126.70.119
Destination IP	217.12.210.54
Destination IP	167.99.153.82
Destination IP	185.121.177.177
Destination IP	5.135.183.146
Destination IP	5.45.97.127
Destination IP	192.99.85.244
Destination IP	45.63.124.65
Destination IP	96.47.228.108
Destination IP	89.35.39.64
Destination IP	142.4.205.47
Destination IP	139.59.23.241
Destination IP	172.104.136.243
Destination IP	51.255.211.146

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

HN2ACC8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\VHVSD9E9P = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v ZSX7E1UTWM /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\HN2ACC8.exe\\\" XYX1FKJ\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\HN2ACC8.exe\" XYX1FKJ"	HN2ACC8.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

448 PING.EXE
4768 PING.EXE
3444 PING.EXE

pid	process
448	PING.EXE
4768	PING.EXE
3444	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe

pid	process
2072	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
2072	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exeHN2ACC8.exeHN2ACC8.exe

pid	process
2072	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
2072	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
4916	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
4916	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
4764	HN2ACC8.exe
4764	HN2ACC8.exe
4688	HN2ACC8.exe
4688	HN2ACC8.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.execmd.exe6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.execmd.exeHN2ACC8.execmd.exe

description	pid	process	target process
PID 2072 wrote to memory of 4516	2072	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 2072 wrote to memory of 4516	2072	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 4516 wrote to memory of 448	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 448	4516	cmd.exe	PING.EXE
PID 4516 wrote to memory of 4916	4516	cmd.exe	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
PID 4516 wrote to memory of 4916	4516	cmd.exe	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
PID 4916 wrote to memory of 480	4916	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 4916 wrote to memory of 480	4916	6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe	cmd.exe
PID 480 wrote to memory of 4768	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 4768	480	cmd.exe	PING.EXE
PID 480 wrote to memory of 4764	480	cmd.exe	HN2ACC8.exe
PID 480 wrote to memory of 4764	480	cmd.exe	HN2ACC8.exe
PID 4764 wrote to memory of 4788	4764	HN2ACC8.exe	cmd.exe
PID 4764 wrote to memory of 4788	4764	HN2ACC8.exe	cmd.exe
PID 4788 wrote to memory of 3444	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 3444	4788	cmd.exe	PING.EXE
PID 4788 wrote to memory of 4688	4788	cmd.exe	HN2ACC8.exe
PID 4788 wrote to memory of 4688	4788	cmd.exe	HN2ACC8.exe

C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
"C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe N5HD8
2⤵
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:448

C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe
C:\Users\Admin\AppData\Local\Temp\6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e.exe N5HD8
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4916

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe HNPI
4⤵
- Suspicious use of WriteProcessMemory
PID:480

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:4768

C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe
C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe HNPI
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4764

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe XYX1FKJ
6⤵
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:3444

C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe
C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe XYX1FKJ
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\HN2ACC8.exe
Filesize
603KB

MD5
9a8c7ae7424367b8c24d5d70b9c1c867

SHA1
bc058fd1fc2cdc2522f2f17f980b2201951cb4ec

SHA256
6a35b2f502b3479b94ae120b537f36ba6a659d323d19869a690fe78aac2e275e

SHA512
3235fd9ad888fbe95ddf6da8d75f0713e1a93b442027abc9f6d83ab9314e7981e699a3e5502568b26e9b403996fa63cee96ab360a1f5a770c1b1f495e5389deb

Download Submit
memory/448-140-0x0000000000000000-mapping.dmp

Download
memory/480-150-0x0000000000000000-mapping.dmp

Download
memory/2072-130-0x0000000002150000-0x000000000218D000-memory.dmp

Filesize
244KB

Download
memory/2072-134-0x00000000023D0000-0x000000000240A000-memory.dmp

Filesize
232KB

Download
memory/2072-138-0x0000000002110000-0x000000000214B000-memory.dmp

Filesize
236KB

Download
memory/3444-164-0x0000000000000000-mapping.dmp

Download
memory/4516-139-0x0000000000000000-mapping.dmp

Download
memory/4688-171-0x00000000022C0000-0x00000000022FA000-memory.dmp

Filesize
232KB

Download
memory/4688-165-0x0000000000000000-mapping.dmp

Download
memory/4764-159-0x00000000021B0000-0x00000000021EA000-memory.dmp

Filesize
232KB

Download
memory/4764-152-0x0000000000000000-mapping.dmp

Download
memory/4768-151-0x0000000000000000-mapping.dmp

Download
memory/4788-163-0x0000000000000000-mapping.dmp

Download
memory/4916-146-0x00000000022A0000-0x00000000022DA000-memory.dmp

Filesize
232KB

Download
memory/4916-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads