bazarloader | 1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

General

Target

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
Size

550KB
MD5

aa569a58ad06c7cbdb4587f0915bee26
SHA1

9eea511d098b34a284508f45e69e3fe67fd74f8d
SHA256

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb
SHA512

4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4176-130-0x0000000002170000-0x00000000021B4000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4176-134-0x00000000021C0000-0x0000000002201000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4176-139-0x0000000002100000-0x0000000002141000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4716-147-0x00000000021B0000-0x00000000021F1000-memory.dmp	BazarLoaderVar1
behavioral2/memory/3104-161-0x00000000021D0000-0x0000000002211000-memory.dmp	BazarLoaderVar1
behavioral2/memory/4464-174-0x0000000002100000-0x0000000002141000-memory.dmp	BazarLoaderVar1

Executes dropped EXE 2 IoCs

Processes:

WJS6F83.exeWJS6F83.exe

pid process

3104 WJS6F83.exe
4464 WJS6F83.exe
Tries to connect to .bazar domain 6 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

127 dcegjldjggjp.bazar
128 dcegjldjggjp.bazar
129 dcegjldjggjp.bazar
130 dcegjldjggjp.bazar
131 dcegjldjggjp.bazar
132 dcegjldjggjp.bazar

pid	process
3104	WJS6F83.exe
4464	WJS6F83.exe

flow	ioc
127	dcegjldjggjp.bazar
128	dcegjldjggjp.bazar
129	dcegjldjggjp.bazar
130	dcegjldjggjp.bazar
131	dcegjldjggjp.bazar
132	dcegjldjggjp.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	176.126.70.119
Destination IP	92.222.97.145
Destination IP	158.69.160.164
Destination IP	5.135.183.146
Destination IP	147.135.185.78
Destination IP	111.67.20.8
Destination IP	192.52.166.110
Destination IP	35.196.105.24
Destination IP	91.217.137.37
Destination IP	185.121.177.177
Destination IP	45.71.112.70
Destination IP	138.197.25.214
Destination IP	5.45.97.127
Destination IP	45.63.124.65
Destination IP	167.99.153.82
Destination IP	193.183.98.66
Destination IP	198.251.90.143
Destination IP	185.208.208.141
Destination IP	217.12.210.54
Destination IP	193.183.98.66
Destination IP	46.101.70.183
Destination IP	63.231.92.27
Destination IP	45.32.160.206
Destination IP	104.37.195.178
Destination IP	82.196.9.45
Destination IP	91.217.137.37
Destination IP	158.69.239.167
Destination IP	185.164.136.225
Destination IP	172.98.193.42
Destination IP	162.248.241.94
Destination IP	91.217.137.37
Destination IP	169.239.202.202
Destination IP	82.141.39.32
Destination IP	142.4.205.47
Destination IP	46.28.207.199
Destination IP	87.98.175.85
Destination IP	159.89.249.249
Destination IP	89.35.39.64
Destination IP	178.17.170.179
Destination IP	163.172.185.51
Destination IP	144.76.133.38
Destination IP	5.132.191.104
Destination IP	89.18.27.167
Destination IP	51.254.25.115
Destination IP	31.171.251.118
Destination IP	193.183.98.66
Destination IP	94.177.171.127
Destination IP	87.98.175.85
Destination IP	77.73.68.161
Destination IP	142.4.204.111
Destination IP	139.59.23.241
Destination IP	128.52.130.209
Destination IP	185.121.177.177
Destination IP	51.254.25.115
Destination IP	163.53.248.170
Destination IP	192.99.85.244
Destination IP	50.3.82.215
Destination IP	130.255.78.223
Destination IP	185.117.154.144
Destination IP	96.47.228.108
Destination IP	172.104.136.243
Destination IP	188.165.200.156
Destination IP	51.255.211.146
Destination IP	104.238.186.189

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WJS6F83.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\WUIE1V3V9F = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v QMA4EB3J3 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WJS6F83.exe\\\" YM7A\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WJS6F83.exe\" YM7A"	WJS6F83.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

4252 PING.EXE
3460 PING.EXE
2368 PING.EXE

pid	process
4252	PING.EXE
3460	PING.EXE
2368	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe

pid	process
4176	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
4176	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exeWJS6F83.exeWJS6F83.exe

pid	process
4176	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
4716	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
3104	WJS6F83.exe
4464	WJS6F83.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.execmd.exe1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.execmd.exeWJS6F83.execmd.exe

description	pid	process	target process
PID 4176 wrote to memory of 856	4176	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 4176 wrote to memory of 856	4176	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 856 wrote to memory of 4252	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 4252	856	cmd.exe	PING.EXE
PID 856 wrote to memory of 4716	856	cmd.exe	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
PID 856 wrote to memory of 4716	856	cmd.exe	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
PID 4716 wrote to memory of 4824	4716	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 4716 wrote to memory of 4824	4716	1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe	cmd.exe
PID 4824 wrote to memory of 3460	4824	cmd.exe	PING.EXE
PID 4824 wrote to memory of 3460	4824	cmd.exe	PING.EXE
PID 4824 wrote to memory of 3104	4824	cmd.exe	WJS6F83.exe
PID 4824 wrote to memory of 3104	4824	cmd.exe	WJS6F83.exe
PID 3104 wrote to memory of 4640	3104	WJS6F83.exe	cmd.exe
PID 3104 wrote to memory of 4640	3104	WJS6F83.exe	cmd.exe
PID 4640 wrote to memory of 2368	4640	cmd.exe	PING.EXE
PID 4640 wrote to memory of 2368	4640	cmd.exe	PING.EXE
PID 4640 wrote to memory of 4464	4640	cmd.exe	WJS6F83.exe
PID 4640 wrote to memory of 4464	4640	cmd.exe	WJS6F83.exe

C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
"C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe WPRTAE
2⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
3⤵
- Runs ping.exe
PID:4252

C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe
C:\Users\Admin\AppData\Local\Temp\1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb.exe WPRTAE
3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe K3IO3WO
4⤵
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
5⤵
- Runs ping.exe
PID:3460

C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe
C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe K3IO3WO
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe YM7A
6⤵
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
7⤵
- Runs ping.exe
PID:2368

C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe
C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe YM7A
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
C:\Users\Admin\AppData\Local\Temp\WJS6F83.exe
Filesize
550KB

MD5
aa569a58ad06c7cbdb4587f0915bee26

SHA1
9eea511d098b34a284508f45e69e3fe67fd74f8d

SHA256
1de56ea9fec1f6d75e012013c41abce271314aed95e48ac984902601dd0811cb

SHA512
4c481bca7e848fb4a9f7041d29b9cc19e4ea37dcac574522f80fac847de6c6f2849afd2835ee3ca20480ec5cb4e5bc3a55f864785ae9ec8d39f72bc5dee15337

Download Submit
memory/856-140-0x0000000000000000-mapping.dmp

Download
memory/2368-167-0x0000000000000000-mapping.dmp

Download
memory/3104-154-0x0000000000000000-mapping.dmp

Download
memory/3104-161-0x00000000021D0000-0x0000000002211000-memory.dmp

Filesize
260KB

Download
memory/3460-153-0x0000000000000000-mapping.dmp

Download
memory/4176-130-0x0000000002170000-0x00000000021B4000-memory.dmp

Filesize
272KB

Download
memory/4176-139-0x0000000002100000-0x0000000002141000-memory.dmp

Filesize
260KB

Download
memory/4176-134-0x00000000021C0000-0x0000000002201000-memory.dmp

Filesize
260KB

Download
memory/4252-141-0x0000000000000000-mapping.dmp

Download
memory/4464-168-0x0000000000000000-mapping.dmp

Download
memory/4464-174-0x0000000002100000-0x0000000002141000-memory.dmp

Filesize
260KB

Download
memory/4640-166-0x0000000000000000-mapping.dmp

Download
memory/4716-147-0x00000000021B0000-0x00000000021F1000-memory.dmp

Filesize
260KB

Download
memory/4716-142-0x0000000000000000-mapping.dmp

Download
memory/4824-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads