bazarloader | 63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

General

Target

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
Size

517KB
MD5

743d977bc5f5fdfe91819c3b9490933c
SHA1

03142bb3481ba4d7ef874f98b1f7af21be4398db
SHA256

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7
SHA512

dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Extracted

Family

bazarloader

C2

195.123.241.204

89.32.41.191

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3580-130-0x0000000002130000-0x000000000217A000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3580-134-0x0000000002190000-0x00000000021D7000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3580-139-0x0000000000500000-0x0000000000548000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4800-147-0x00000000021C0000-0x0000000002207000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3680-174-0x0000000002170000-0x00000000021B7000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

GGH516C.exeGGH516C.exe

pid process

1992 GGH516C.exe
3680 GGH516C.exe

pid	process
1992	GGH516C.exe
3680	GGH516C.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GGH516C.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\M6BWVBCM8G = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v Q6SDKNFVE /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\GGH516C.exe\\\" OEZE\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\GGH516C.exe\" OEZE"	GGH516C.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

3980 PING.EXE
4340 PING.EXE
3484 PING.EXE

pid	process
3980	PING.EXE
4340	PING.EXE
3484	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

pid	process
3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exeGGH516C.exeGGH516C.exe

pid	process
3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
4800	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
1992	GGH516C.exe
3680	GGH516C.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exe63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.execmd.exeGGH516C.execmd.exe

description	pid	process	target process
PID 3580 wrote to memory of 4756	3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 3580 wrote to memory of 4756	3580	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 4756 wrote to memory of 3980	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 3980	4756	cmd.exe	PING.EXE
PID 4756 wrote to memory of 4800	4756	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 4756 wrote to memory of 4800	4756	cmd.exe	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
PID 4800 wrote to memory of 3880	4800	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 4800 wrote to memory of 3880	4800	63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe	cmd.exe
PID 3880 wrote to memory of 4340	3880	cmd.exe	PING.EXE
PID 3880 wrote to memory of 4340	3880	cmd.exe	PING.EXE
PID 3880 wrote to memory of 1992	3880	cmd.exe	GGH516C.exe
PID 3880 wrote to memory of 1992	3880	cmd.exe	GGH516C.exe
PID 1992 wrote to memory of 4920	1992	GGH516C.exe	cmd.exe
PID 1992 wrote to memory of 4920	1992	GGH516C.exe	cmd.exe
PID 4920 wrote to memory of 3484	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 3484	4920	cmd.exe	PING.EXE
PID 4920 wrote to memory of 3680	4920	cmd.exe	GGH516C.exe
PID 4920 wrote to memory of 3680	4920	cmd.exe	GGH516C.exe

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
"C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe GPHG62
2⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:3980

C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe
C:\Users\Admin\AppData\Local\Temp\63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7.exe GPHG62
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4800

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\GGH516C.exe TV25O48
4⤵
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:4340

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
C:\Users\Admin\AppData\Local\Temp\GGH516C.exe TV25O48
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\GGH516C.exe OEZE
6⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:3484

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
C:\Users\Admin\AppData\Local\Temp\GGH516C.exe OEZE
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GGH516C.exe
Filesize
517KB

MD5
743d977bc5f5fdfe91819c3b9490933c

SHA1
03142bb3481ba4d7ef874f98b1f7af21be4398db

SHA256
63c47ac180d0a7c38b005d69afed8758618f2ca023e0c1fd6cc15f5e2886a3c7

SHA512
dc2285a388808adfd516f31cc8e8402e66780c6d37df31e099172a3c3a2cb65b898deac8701c5add0cc96f360036b4ee8e4c82b2a42fd5fb45702292986ef14e

Download Submit
memory/1992-154-0x0000000000000000-mapping.dmp

Download
memory/3484-167-0x0000000000000000-mapping.dmp

Download
memory/3580-134-0x0000000002190000-0x00000000021D7000-memory.dmp

Filesize
284KB

Download
memory/3580-139-0x0000000000500000-0x0000000000548000-memory.dmp

Filesize
288KB

Download
memory/3580-130-0x0000000002130000-0x000000000217A000-memory.dmp

Filesize
296KB

Download
memory/3680-174-0x0000000002170000-0x00000000021B7000-memory.dmp

Filesize
284KB

Download
memory/3680-168-0x0000000000000000-mapping.dmp

Download
memory/3880-152-0x0000000000000000-mapping.dmp

Download
memory/3980-141-0x0000000000000000-mapping.dmp

Download
memory/4340-153-0x0000000000000000-mapping.dmp

Download
memory/4756-140-0x0000000000000000-mapping.dmp

Download
memory/4800-147-0x00000000021C0000-0x0000000002207000-memory.dmp

Filesize
284KB

Download
memory/4800-142-0x0000000000000000-mapping.dmp

Download
memory/4920-166-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads