bazarloader | 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

General

Target

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
Size

550KB
MD5

aa569a58ad06c7cbdb4587f0915bee26
SHA1

9eea511d098b34a284508f45e69e3fe67fd74f8d
SHA256

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA512

4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1156-54-0x0000000001CC0000-0x0000000001D04000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1156-58-0x0000000001F00000-0x0000000001F41000-memory.dmp	BazarLoaderVar1
behavioral1/memory/1156-63-0x0000000001C70000-0x0000000001CB1000-memory.dmp	BazarLoaderVar1
behavioral1/memory/592-71-0x0000000001E50000-0x0000000001E91000-memory.dmp	BazarLoaderVar1
behavioral1/memory/276-86-0x0000000002000000-0x0000000002041000-memory.dmp	BazarLoaderVar1
behavioral1/memory/992-100-0x0000000001C60000-0x0000000001CA1000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

TAFC553.exeTAFC553.exe

pid process

276 TAFC553.exe
992 TAFC553.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.execmd.exe

pid process

640 cmd.exe
1248 cmd.exe

pid	process
276	TAFC553.exe
992	TAFC553.exe

pid	process
640	cmd.exe
1248	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TAFC553.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\QAJ9JCNB = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v TTV616PH9MI /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\TAFC553.exe\\\" TXBLBH\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\TAFC553.exe\" TXBLBH"	TAFC553.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

1540 PING.EXE
1648 PING.EXE
1880 PING.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe

pid process

1156 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe

pid	process
1540	PING.EXE
1648	PING.EXE
1880	PING.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exeTAFC553.exeTAFC553.exe

pid	process
1156	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
592	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
276	TAFC553.exe
992	TAFC553.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.execmd.exe1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.execmd.exeTAFC553.execmd.exe

description	pid	process	target process
PID 1156 wrote to memory of 1608	1156	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 1156 wrote to memory of 1608	1156	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 1156 wrote to memory of 1608	1156	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 1608 wrote to memory of 1540	1608	cmd.exe	PING.EXE
PID 1608 wrote to memory of 1540	1608	cmd.exe	PING.EXE
PID 1608 wrote to memory of 1540	1608	cmd.exe	PING.EXE
PID 1608 wrote to memory of 592	1608	cmd.exe	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
PID 1608 wrote to memory of 592	1608	cmd.exe	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
PID 1608 wrote to memory of 592	1608	cmd.exe	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
PID 592 wrote to memory of 640	592	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 592 wrote to memory of 640	592	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 592 wrote to memory of 640	592	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 640 wrote to memory of 1648	640	cmd.exe	PING.EXE
PID 640 wrote to memory of 1648	640	cmd.exe	PING.EXE
PID 640 wrote to memory of 1648	640	cmd.exe	PING.EXE
PID 640 wrote to memory of 276	640	cmd.exe	TAFC553.exe
PID 640 wrote to memory of 276	640	cmd.exe	TAFC553.exe
PID 640 wrote to memory of 276	640	cmd.exe	TAFC553.exe
PID 276 wrote to memory of 1248	276	TAFC553.exe	cmd.exe
PID 276 wrote to memory of 1248	276	TAFC553.exe	cmd.exe
PID 276 wrote to memory of 1248	276	TAFC553.exe	cmd.exe
PID 1248 wrote to memory of 1880	1248	cmd.exe	PING.EXE
PID 1248 wrote to memory of 1880	1248	cmd.exe	PING.EXE
PID 1248 wrote to memory of 1880	1248	cmd.exe	PING.EXE
PID 1248 wrote to memory of 992	1248	cmd.exe	TAFC553.exe
PID 1248 wrote to memory of 992	1248	cmd.exe	TAFC553.exe
PID 1248 wrote to memory of 992	1248	cmd.exe	TAFC553.exe

C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
"C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe W3HW
2⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:1540

C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe W3HW
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\TAFC553.exe AYJX8
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:1648

C:\Users\Admin\AppData\Local\Temp\TAFC553.exe
C:\Users\Admin\AppData\Local\Temp\TAFC553.exe AYJX8
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\TAFC553.exe TXBLBH
6⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\TAFC553.exe
C:\Users\Admin\AppData\Local\Temp\TAFC553.exe TXBLBH
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
1⤵
- Runs ping.exe
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TAFC553.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAFC553.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
C:\Users\Admin\AppData\Local\Temp\TAFC553.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
\Users\Admin\AppData\Local\Temp\TAFC553.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
\Users\Admin\AppData\Local\Temp\TAFC553.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
memory/276-79-0x0000000000000000-mapping.dmp

Download
memory/276-86-0x0000000002000000-0x0000000002041000-memory.dmp

Filesize
260KB

Download
memory/592-71-0x0000000001E50000-0x0000000001E91000-memory.dmp

Filesize
260KB

Download
memory/592-66-0x0000000000000000-mapping.dmp

Download
memory/640-76-0x0000000000000000-mapping.dmp

Download
memory/992-100-0x0000000001C60000-0x0000000001CA1000-memory.dmp

Filesize
260KB

Download
memory/992-94-0x0000000000000000-mapping.dmp

Download
memory/1156-54-0x0000000001CC0000-0x0000000001D04000-memory.dmp

Filesize
272KB

Download
memory/1156-63-0x0000000001C70000-0x0000000001CB1000-memory.dmp

Filesize
260KB

Download
memory/1156-58-0x0000000001F00000-0x0000000001F41000-memory.dmp

Filesize
260KB

Download
memory/1248-91-0x0000000000000000-mapping.dmp

Download
memory/1540-65-0x0000000000000000-mapping.dmp

Download
memory/1608-64-0x0000000000000000-mapping.dmp

Download
memory/1648-77-0x0000000000000000-mapping.dmp

Download
memory/1880-92-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads