bazarloader | 63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

General

Target

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
Size

517KB
MD5

743d977bc5f5fdfe91819c3b9490933c
SHA1

03142bb3481ba4d7ef874f98b1f7af21be4398db
SHA256

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7
SHA512

dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

195.123.241.204

89.32.41.191

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1828-54-0x0000000001BC0000-0x0000000001C0A000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1828-58-0x0000000001C10000-0x0000000001C57000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1828-63-0x0000000000220000-0x0000000000268000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1776-71-0x0000000001FE0000-0x0000000002027000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1608-86-0x0000000002030000-0x0000000002077000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1000-100-0x0000000001F70000-0x0000000001FB7000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

QSZ8161.exeQSZ8161.exe

pid process

1608 QSZ8161.exe
1000 QSZ8161.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

1008 cmd.exe
1948 cmd.exe

pid	process
1608	QSZ8161.exe
1000	QSZ8161.exe

pid	process
1008	cmd.exe
1948	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

QSZ8161.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\YAXELDOB = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v KT7FH3YXCRB /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\QSZ8161.exe\\\" KRTV5G\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QSZ8161.exe\" KRTV5G"	QSZ8161.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

676 PING.EXE
2036 PING.EXE
864 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

pid process

1828 63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

pid	process
676	PING.EXE
2036	PING.EXE
864	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exeQSZ8161.exeQSZ8161.exe

pid	process
1828	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
1776	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
1608	QSZ8161.exe
1000	QSZ8161.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exeQSZ8161.execmd.exe

description	pid	process	target process
PID 1828 wrote to memory of 1420	1828	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 1828 wrote to memory of 1420	1828	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 1828 wrote to memory of 1420	1828	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 1420 wrote to memory of 2036	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 2036	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 2036	1420	cmd.exe	PING.EXE
PID 1420 wrote to memory of 1776	1420	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 1420 wrote to memory of 1776	1420	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 1420 wrote to memory of 1776	1420	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 1776 wrote to memory of 1008	1776	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 1776 wrote to memory of 1008	1776	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 1776 wrote to memory of 1008	1776	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 1008 wrote to memory of 864	1008	cmd.exe	PING.EXE
PID 1008 wrote to memory of 864	1008	cmd.exe	PING.EXE
PID 1008 wrote to memory of 864	1008	cmd.exe	PING.EXE
PID 1008 wrote to memory of 1608	1008	cmd.exe	QSZ8161.exe
PID 1008 wrote to memory of 1608	1008	cmd.exe	QSZ8161.exe
PID 1008 wrote to memory of 1608	1008	cmd.exe	QSZ8161.exe
PID 1608 wrote to memory of 1948	1608	QSZ8161.exe	cmd.exe
PID 1608 wrote to memory of 1948	1608	QSZ8161.exe	cmd.exe
PID 1608 wrote to memory of 1948	1608	QSZ8161.exe	cmd.exe
PID 1948 wrote to memory of 676	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 676	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 676	1948	cmd.exe	PING.EXE
PID 1948 wrote to memory of 1000	1948	cmd.exe	QSZ8161.exe
PID 1948 wrote to memory of 1000	1948	cmd.exe	QSZ8161.exe
PID 1948 wrote to memory of 1000	1948	cmd.exe	QSZ8161.exe

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
"C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe G3TU
2⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:2036

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe G3TU
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe U2OGF
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:864

C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe U2OGF
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe KRTV5G
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:676

C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe KRTV5G
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSZ8161.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
\Users\Admin\AppData\Local\Temp\QSZ8161.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
\Users\Admin\AppData\Local\Temp\QSZ8161.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
memory/676-92-0x0000000000000000-mapping.dmp

Download
memory/864-77-0x0000000000000000-mapping.dmp

Download
memory/1000-100-0x0000000001F70000-0x0000000001FB7000-memory.dmp

Filesize
284KB

Download
memory/1000-94-0x0000000000000000-mapping.dmp

Download
memory/1008-76-0x0000000000000000-mapping.dmp

Download
memory/1420-64-0x0000000000000000-mapping.dmp

Download
memory/1608-86-0x0000000002030000-0x0000000002077000-memory.dmp

Filesize
284KB

Download
memory/1608-79-0x0000000000000000-mapping.dmp

Download
memory/1776-66-0x0000000000000000-mapping.dmp

Download
memory/1776-71-0x0000000001FE0000-0x0000000002027000-memory.dmp

Filesize
284KB

Download
memory/1828-54-0x0000000001BC0000-0x0000000001C0A000-memory.dmp

Filesize
296KB

Download
memory/1828-63-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1828-58-0x0000000001C10000-0x0000000001C57000-memory.dmp

Filesize
284KB

Download
memory/1948-91-0x0000000000000000-mapping.dmp

Download
memory/2036-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads