bazarloader | f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

General

Target

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
Size

76KB
MD5

5e13bc98285bd873d1053bbcee71f3f6
SHA1

1d3b3a616ceaeed0554ccbd99d9addca97592ab3
SHA256

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37
SHA512

d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1
\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1
\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1
\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

CRV34E7.exeCRV34E7.exe

pid process

2044 CRV34E7.exe
1600 CRV34E7.exe
Loads dropped DLL 4 IoCs

Processes:

cmd.execmd.exe

pid process

936 cmd.exe
936 cmd.exe
696 cmd.exe
696 cmd.exe

pid	process
2044	CRV34E7.exe
1600	CRV34E7.exe

pid	process
936	cmd.exe
936	cmd.exe
696	cmd.exe
696	cmd.exe

Unexpected DNS network traffic destination 39 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	104.238.186.189
Destination IP	139.59.23.241
Destination IP	142.4.205.47
Destination IP	31.171.251.118
Destination IP	139.59.208.246
Destination IP	159.89.249.249
Destination IP	51.254.25.115
Destination IP	91.217.137.37
Destination IP	46.28.207.199
Destination IP	5.132.191.104
Destination IP	142.4.204.111
Destination IP	45.71.112.70
Destination IP	92.222.97.145
Destination IP	192.99.85.244
Destination IP	5.135.183.146
Destination IP	51.255.211.146
Destination IP	144.76.133.38
Destination IP	51.255.48.78
Destination IP	169.239.202.202
Destination IP	158.69.239.167
Destination IP	158.69.160.164
Destination IP	5.45.97.127
Destination IP	147.135.185.78
Destination IP	81.2.241.148
Destination IP	50.3.82.215
Destination IP	87.98.175.85
Destination IP	188.165.200.156
Destination IP	193.183.98.66
Destination IP	111.67.20.8
Destination IP	130.255.78.223
Destination IP	172.104.136.243
Destination IP	163.172.185.51
Destination IP	82.141.39.32
Destination IP	46.101.70.183
Destination IP	87.98.175.85
Destination IP	185.121.177.177
Destination IP	198.251.90.143
Destination IP	163.53.248.170
Destination IP	104.37.195.178

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

CRV34E7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\YQNI7GWU = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v E41YKIKYX5U /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\CRV34E7.exe\\\" AZNHE3\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\CRV34E7.exe\" AZNHE3"	CRV34E7.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

2012 PING.EXE
240 PING.EXE
1348 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe

pid process

1692 f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe

pid	process
2012	PING.EXE
240	PING.EXE
1348	PING.EXE

pid	process
1692	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.execmd.exef138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.execmd.exeCRV34E7.execmd.exe

description	pid	process	target process
PID 1692 wrote to memory of 1456	1692	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 1692 wrote to memory of 1456	1692	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 1692 wrote to memory of 1456	1692	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 1456 wrote to memory of 1348	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 1348	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 1348	1456	cmd.exe	PING.EXE
PID 1456 wrote to memory of 1300	1456	cmd.exe	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
PID 1456 wrote to memory of 1300	1456	cmd.exe	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
PID 1456 wrote to memory of 1300	1456	cmd.exe	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
PID 1300 wrote to memory of 936	1300	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 1300 wrote to memory of 936	1300	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 1300 wrote to memory of 936	1300	f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe	cmd.exe
PID 936 wrote to memory of 2012	936	cmd.exe	PING.EXE
PID 936 wrote to memory of 2012	936	cmd.exe	PING.EXE
PID 936 wrote to memory of 2012	936	cmd.exe	PING.EXE
PID 936 wrote to memory of 2044	936	cmd.exe	CRV34E7.exe
PID 936 wrote to memory of 2044	936	cmd.exe	CRV34E7.exe
PID 936 wrote to memory of 2044	936	cmd.exe	CRV34E7.exe
PID 2044 wrote to memory of 696	2044	CRV34E7.exe	cmd.exe
PID 2044 wrote to memory of 696	2044	CRV34E7.exe	cmd.exe
PID 2044 wrote to memory of 696	2044	CRV34E7.exe	cmd.exe
PID 696 wrote to memory of 240	696	cmd.exe	PING.EXE
PID 696 wrote to memory of 240	696	cmd.exe	PING.EXE
PID 696 wrote to memory of 240	696	cmd.exe	PING.EXE
PID 696 wrote to memory of 1600	696	cmd.exe	CRV34E7.exe
PID 696 wrote to memory of 1600	696	cmd.exe	CRV34E7.exe
PID 696 wrote to memory of 1600	696	cmd.exe	CRV34E7.exe

C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
"C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe TK0I
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:1348

C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe
C:\Users\Admin\AppData\Local\Temp\f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37.exe TK0I
3⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe CQG8Y
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:2012

C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe CQG8Y
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe AZNHE3
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:240

C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe AZNHE3
7⤵
- Executes dropped EXE
PID:1600

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
\Users\Admin\AppData\Local\Temp\CRV34E7.exe
Filesize
76KB

MD5
5e13bc98285bd873d1053bbcee71f3f6

SHA1
1d3b3a616ceaeed0554ccbd99d9addca97592ab3

SHA256
f138e7c58f0c5fe76fafc30584c4b37a53961be93aa1e1fb611a9ee416eb6a37

SHA512
d9a12c762b053340d1dde88363694d80318c2d2f00492dcc7f0dd0fcee3a54c9324bae02fd282d6914dffcfb9a8aa40d2f0584af2eeaf4252f1e0ead460be04a

Download Submit
memory/240-66-0x0000000000000000-mapping.dmp

Download
memory/696-65-0x0000000000000000-mapping.dmp

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/1300-56-0x0000000000000000-mapping.dmp

Download
memory/1348-55-0x0000000000000000-mapping.dmp

Download
memory/1456-54-0x0000000000000000-mapping.dmp

Download
memory/1600-69-0x0000000000000000-mapping.dmp

Download
memory/2012-58-0x0000000000000000-mapping.dmp

Download
memory/2044-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads