bazarloader | 48d33f902d5d81182b60d6a3f1ccb88dde3538a4a07abf40617dc12e039fb7bd

General

Target

paraplanner.dll
Size

174KB
MD5

ef224d17c7b2d2887a238e037496ae83
SHA1

aece94262ddca2bf181f02c17ec93d35fc3aab91
SHA256

48d33f902d5d81182b60d6a3f1ccb88dde3538a4a07abf40617dc12e039fb7bd
SHA512

edb0d3a70da93f93b7255a674f6d630f50f125a689ee7225d85b44963b43ad7cbe10ee67ba81cfe83537c155aa8852443ffb69dba6d497751863a4917bca5a81

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

144.217.50.242

5.39.63.103

94.140.113.53

185.163.45.95

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run\0q0ci6sB1gW5cD8sS6T = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\paraplanner.dll\", #1 wD6bUqfE kH6FC7aq7 4d6pZ7tE2aItuW3"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2932610838-281738825-1127631353-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1556 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1332 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

rundll32.exe

pid process

1920 rundll32.exe

pid	process
1556	reg.exe

pid	process
1332	PING.EXE

pid	process
1920	rundll32.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

rundll32.execmd.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 948 wrote to memory of 2040	948	rundll32.exe	cmd.exe
PID 948 wrote to memory of 2040	948	rundll32.exe	cmd.exe
PID 948 wrote to memory of 2040	948	rundll32.exe	cmd.exe
PID 2040 wrote to memory of 1332	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1332	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1332	2040	cmd.exe	PING.EXE
PID 2040 wrote to memory of 1920	2040	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 1920	2040	cmd.exe	rundll32.exe
PID 2040 wrote to memory of 1920	2040	cmd.exe	rundll32.exe
PID 1920 wrote to memory of 1148	1920	rundll32.exe	cmd.exe
PID 1920 wrote to memory of 1148	1920	rundll32.exe	cmd.exe
PID 1920 wrote to memory of 1148	1920	rundll32.exe	cmd.exe
PID 1148 wrote to memory of 1556	1148	cmd.exe	reg.exe
PID 1148 wrote to memory of 1556	1148	cmd.exe	reg.exe
PID 1148 wrote to memory of 1556	1148	cmd.exe	reg.exe
PID 1920 wrote to memory of 1772	1920	rundll32.exe	cmd.exe
PID 1920 wrote to memory of 1772	1920	rundll32.exe	cmd.exe
PID 1920 wrote to memory of 1772	1920	rundll32.exe	cmd.exe
PID 1772 wrote to memory of 1236	1772	cmd.exe	choice.exe
PID 1772 wrote to memory of 1236	1772	cmd.exe	choice.exe
PID 1772 wrote to memory of 1236	1772	cmd.exe	choice.exe
PID 1772 wrote to memory of 1972	1772	cmd.exe	rundll32.exe
PID 1772 wrote to memory of 1972	1772	cmd.exe	rundll32.exe
PID 1772 wrote to memory of 1972	1772	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\paraplanner.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 7 -i 101 -4 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\paraplanner.dll", #1 wD6bUqfE kO5rG7fD & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 7 -i 101 -4 -w 1000
3⤵
- Runs ping.exe
PID:1332

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\paraplanner.dll", #1 wD6bUqfE kO5rG7fD
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v 0q0ci6sB1gW5cD8sS6T /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\paraplanner.dll\", #1 wD6bUqfE kH6FC7aq7 4d6pZ7tE2aItuW3"
4⤵
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v 0q0ci6sB1gW5cD8sS6T /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\paraplanner.dll\", #1 wD6bUqfE kH6FC7aq7 4d6pZ7tE2aItuW3"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1556

C:\Windows\system32\cmd.exe
cmd /c choice /c y /d y /t 7 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\paraplanner.dll", #1 wD6bUqfE kH6FC7aq7 4d6pZ7tE2aItuW3 & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\choice.exe
choice /c y /d y /t 7
5⤵
PID:1236

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\paraplanner.dll", #1 wD6bUqfE kH6FC7aq7 4d6pZ7tE2aItuW3
5⤵
PID:1972

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/948-54-0x0000000180000000-0x0000000180020000-memory.dmp

Filesize
128KB

Download
memory/1148-67-0x0000000000000000-mapping.dmp

Download
memory/1236-70-0x0000000000000000-mapping.dmp

Download
memory/1332-60-0x0000000000000000-mapping.dmp

Download
memory/1556-68-0x0000000000000000-mapping.dmp

Download
memory/1772-69-0x0000000000000000-mapping.dmp

Download
memory/1920-61-0x0000000000000000-mapping.dmp

Download
memory/1972-71-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing