bazarloader | d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac

General

Target

youtube.dll
Size

214KB
MD5

9a4ef0169f86641aa99017049de272f5
SHA1

82e1a3868eff88753fe30abedf7c83620aaddd13
SHA256

d21d616f6052e8b62292fcc6d9fd9ee2a3b549c59ca76aa8ef5a96cd163512ac
SHA512

9b9bff3e64ee7f060679b3ff8704b8f89057748906198c674e7ebec7a51e33023af119997877790837389905090d57559eadc49811f53973b7ed91f3552c9e84

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

148.163.42.213

5.255.102.10

188.127.235.177

23.160.193.221

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ew5cE3XM7fa6er4oU6h = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\youtube.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"	reg.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3540 timeout.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1928 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1508 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

1976 rundll32.exe
1976 rundll32.exe

pid	process
3540	timeout.exe

pid	process
1928	reg.exe

pid	process
1508	PING.EXE

pid	process
1976	rundll32.exe
1976	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.execmd.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 3340 wrote to memory of 1984	3340	rundll32.exe	cmd.exe
PID 3340 wrote to memory of 1984	3340	rundll32.exe	cmd.exe
PID 1984 wrote to memory of 3540	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 3540	1984	cmd.exe	timeout.exe
PID 1984 wrote to memory of 1976	1984	cmd.exe	rundll32.exe
PID 1984 wrote to memory of 1976	1984	cmd.exe	rundll32.exe
PID 1976 wrote to memory of 2572	1976	rundll32.exe	cmd.exe
PID 1976 wrote to memory of 2572	1976	rundll32.exe	cmd.exe
PID 2572 wrote to memory of 1928	2572	cmd.exe	reg.exe
PID 2572 wrote to memory of 1928	2572	cmd.exe	reg.exe
PID 1976 wrote to memory of 3572	1976	rundll32.exe	cmd.exe
PID 1976 wrote to memory of 3572	1976	rundll32.exe	cmd.exe
PID 3572 wrote to memory of 1508	3572	cmd.exe	PING.EXE
PID 3572 wrote to memory of 1508	3572	cmd.exe	PING.EXE

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\youtube.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3340

C:\Windows\system32\cmd.exe
cmd /c timeout /t 6 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\youtube.dll", #1 ZF3bI6aD VI0rr2aG & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:3540

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\youtube.dll", #1 ZF3bI6aD VI0rr2aG
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ew5cE3XM7fa6er4oU6h /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\youtube.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"
4⤵
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ew5cE3XM7fa6er4oU6h /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\youtube.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1928

C:\Windows\system32\cmd.exe
cmd /c ping 192.0.2.241 -n 10 -i 123 -w 1000 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\youtube.dll", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6 & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\system32\PING.EXE
ping 192.0.2.241 -n 10 -i 123 -w 1000
5⤵
- Runs ping.exe
PID:1508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-132-0x0000000000000000-mapping.dmp

Download
memory/1928-130-0x0000000000000000-mapping.dmp

Download
memory/1976-127-0x0000000000000000-mapping.dmp

Download
memory/1976-128-0x000002CA56150000-0x000002CA56170000-memory.dmp

Filesize
128KB

Download
memory/1984-125-0x0000000000000000-mapping.dmp

Download
memory/2572-129-0x0000000000000000-mapping.dmp

Download
memory/3340-124-0x00000203B9980000-0x00000203B99A0000-memory.dmp

Filesize
128KB

Download
memory/3540-126-0x0000000000000000-mapping.dmp

Download
memory/3572-131-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing