bazarloader | 28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3

General

Target

28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3.exe
Size

5.7MB
MD5

ba54c9285faa654d9071fa8d2b3a0a84
SHA1

cdb4676ba2cf3cc21c3d7db315552756b4966b45
SHA256

28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3
SHA512

1e726e61fd552e8970c0cc66e13d519fdadb9b6becfdd67788cd131ec0172a174a67e9d9c43aad9f5563684a68b74d1f30aee69869abb6d95ae8a68d10b0ae6d

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/444-130-0x00000000001A0000-0x00000000001B9000-memory.dmp	BazarLoaderVar1
behavioral2/memory/444-134-0x0000000180000000-0x0000000180017000-memory.dmp	BazarLoaderVar1
behavioral2/memory/444-138-0x0000000000180000-0x0000000000196000-memory.dmp	BazarLoaderVar1

Tries to connect to .bazar domain 33 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
259	dcegjldjggjp.bazar
261	dcegjldjggjp.bazar
267	dcegjldjggjp.bazar
273	dcegjldjggjp.bazar
281	dcegjldjggjp.bazar
263	dcegjldjggjp.bazar
277	dcegjldjggjp.bazar
284	dcegjldjggjp.bazar
256	dcegjldjggjp.bazar
276	dcegjldjggjp.bazar
278	dcegjldjggjp.bazar
283	dcegjldjggjp.bazar
299	bdegjkbkggjo.bazar
260	dcegjldjggjp.bazar
280	dcegjldjggjp.bazar
308	ddehimdkghiq.bazar
262	dcegjldjggjp.bazar
265	dcegjldjggjp.bazar
282	dcegjldjggjp.bazar
285	dcegjldjggjp.bazar
253	dcegjldjggjp.bazar
254	dcegjldjggjp.bazar
255	dcegjldjggjp.bazar
270	dcegjldjggjp.bazar
274	dcegjldjggjp.bazar
279	dcegjldjggjp.bazar
258	dcegjldjggjp.bazar
266	dcegjldjggjp.bazar
268	dcegjldjggjp.bazar
271	dcegjldjggjp.bazar
257	dcegjldjggjp.bazar
264	dcegjldjggjp.bazar
286	dcegjldjggjp.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	146.185.176.36
Destination IP	212.24.98.54
Destination IP	50.3.82.215
Destination IP	66.70.211.246
Destination IP	51.254.25.115
Destination IP	198.251.90.143
Destination IP	130.255.78.223
Destination IP	45.63.124.65
Destination IP	91.217.137.37
Destination IP	87.98.175.85
Destination IP	104.238.186.189
Destination IP	87.98.175.85
Destination IP	142.4.205.47
Destination IP	142.4.205.47
Destination IP	87.98.175.85
Destination IP	63.231.92.27
Destination IP	82.141.39.32
Destination IP	192.52.166.110
Destination IP	128.52.130.209
Destination IP	81.2.241.148
Destination IP	142.4.204.111
Destination IP	158.69.160.164
Destination IP	212.24.98.54
Destination IP	163.53.248.170
Destination IP	139.59.23.241
Destination IP	31.171.251.118
Destination IP	81.2.241.148
Destination IP	51.254.25.115
Destination IP	5.132.191.104
Destination IP	142.4.204.111
Destination IP	217.12.210.54
Destination IP	94.177.171.127
Destination IP	139.99.96.146
Destination IP	87.98.175.85
Destination IP	193.183.98.66
Destination IP	77.73.68.161
Destination IP	176.126.70.119
Destination IP	169.239.202.202
Destination IP	142.4.204.111
Destination IP	144.76.133.38
Destination IP	163.172.185.51
Destination IP	139.99.96.146
Destination IP	162.248.241.94
Destination IP	138.197.25.214
Destination IP	144.76.133.38
Destination IP	89.18.27.167
Destination IP	163.53.248.170
Destination IP	185.164.136.225
Destination IP	139.59.23.241
Destination IP	45.32.160.206
Destination IP	158.69.160.164
Destination IP	96.47.228.108
Destination IP	51.255.48.78
Destination IP	87.98.175.85
Destination IP	5.135.183.146
Destination IP	111.67.20.8
Destination IP	35.196.105.24
Destination IP	111.67.20.8
Destination IP	158.69.239.167
Destination IP	91.217.137.37
Destination IP	91.217.137.37
Destination IP	142.4.205.47
Destination IP	198.251.90.143
Destination IP	188.165.200.156

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3.exe

pid	process
444	28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3.exe
444	28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3.exe

C:\Users\Admin\AppData\Local\Temp\28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3.exe
"C:\Users\Admin\AppData\Local\Temp\28b313f8a09e2512039b0e5bbfb67af2aee9b461bac9e0a455dbd409b7b621e3.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-130-0x00000000001A0000-0x00000000001B9000-memory.dmp

Filesize
100KB

Download
memory/444-134-0x0000000180000000-0x0000000180017000-memory.dmp

Filesize
92KB

Download
memory/444-138-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads