bazarloader | 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301 | Triage

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
11-04-2022 03:14

Sharing

Report Analysis Logs

General

Target

images.exe
Size

290KB
MD5

e28ae2f26a165ab891248f17b064f2e7
SHA1

8ac67ed569b4675411c54ac05768eefff853854f
SHA256

0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
SHA512

ba26ca25af0f1a5a5d4ec9c7fa1ba64e395d4c0a44b7803399df7dd50497addaa01ebf65d691c1f0a0a87462f0216aea60b9f4a6b3bffdc7c9743dc9e667c5b6

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Family

bazarloader

C2

144.217.50.242

5.39.63.103

94.140.113.53

185.163.45.95

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

images.execmd.exe

description	pid	process	target process
PID 4484 wrote to memory of 3244	4484	images.exe	cmd.exe
PID 4484 wrote to memory of 3244	4484	images.exe	cmd.exe
PID 3244 wrote to memory of 3496	3244	cmd.exe	choice.exe
PID 3244 wrote to memory of 3496	3244	cmd.exe	choice.exe
PID 3244 wrote to memory of 2640	3244	cmd.exe	images.exe
PID 3244 wrote to memory of 2640	3244	cmd.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\images.exe
"C:\Users\Admin\AppData\Local\Temp\images.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SYSTEM32\cmd.exe
cmd /c choice /c y /d y /t 6 > NUL & start "" "C:\Users\Admin\AppData\Local\Temp\images.exe" ZF3bI6aD VI0rr2aG & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\system32\choice.exe
choice /c y /d y /t 6
3⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\images.exe
"C:\Users\Admin\AppData\Local\Temp\images.exe" ZF3bI6aD VI0rr2aG
3⤵
PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-127-0x0000000000000000-mapping.dmp

Download
memory/2640-128-0x00007FF486060000-0x00007FF48607F000-memory.dmp

Filesize
124KB

Download
memory/3244-125-0x0000000000000000-mapping.dmp

Download
memory/3496-126-0x0000000000000000-mapping.dmp

Download
memory/4484-124-0x00007FF41BD50000-0x00007FF41BD6F000-memory.dmp

Filesize
124KB

Download