bazarloader | 48d33f902d5d81182b60d6a3f1ccb88dde3538a4a07abf40617dc12e039fb7bd

Analysis

max time kernel
119s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
04-04-2022 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paraplanner.dll
Size

174KB
MD5

ef224d17c7b2d2887a238e037496ae83
SHA1

aece94262ddca2bf181f02c17ec93d35fc3aab91
SHA256

48d33f902d5d81182b60d6a3f1ccb88dde3538a4a07abf40617dc12e039fb7bd
SHA512

edb0d3a70da93f93b7255a674f6d630f50f125a689ee7225d85b44963b43ad7cbe10ee67ba81cfe83537c155aa8852443ffb69dba6d497751863a4917bca5a81

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Family

bazarloader

144.217.50.242

5.39.63.103

94.140.113.53

185.163.45.95

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2292 PING.EXE

pid	process
2292	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.execmd.exe

description	pid	process	target process
PID 4776 wrote to memory of 320	4776	rundll32.exe	cmd.exe
PID 4776 wrote to memory of 320	4776	rundll32.exe	cmd.exe
PID 320 wrote to memory of 2292	320	cmd.exe	PING.EXE
PID 320 wrote to memory of 2292	320	cmd.exe	PING.EXE
PID 320 wrote to memory of 2948	320	cmd.exe	rundll32.exe
PID 320 wrote to memory of 2948	320	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\paraplanner.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4776

C:\Windows\system32\cmd.exe
cmd /c ping 192.0.2.195 -n 10 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\paraplanner.dll", #1 ZF3bI6aD VI0rr2aG & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\PING.EXE
ping 192.0.2.195 -n 10 -w 1000
3⤵
- Runs ping.exe
PID:2292

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\paraplanner.dll", #1 ZF3bI6aD VI0rr2aG
3⤵
PID:2948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-129-0x0000000000000000-mapping.dmp

Download
memory/2292-130-0x0000000000000000-mapping.dmp

Download
memory/2948-131-0x0000000000000000-mapping.dmp

Download
memory/4776-124-0x0000000180000000-0x0000000180020000-memory.dmp

Filesize
128KB

Download