bazarloader | b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb

General

Target

fileman.dll
Size

213KB
MD5

6f3be0dfe6b5971b16464b7924772445
SHA1

8af5e975c00f5bdbd843f644a60adbb5f8da8a0d
SHA256

b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb
SHA512

a1a8d49ec7610c37284a2e9f7409f1f93343c7d9c676985b9a3759388835880e7e376451e89294654cb4fc0f6c6386876896da50347c8bc4a98b80b1825cd5ef

Score

10^/10

bazarloader dropper loader persistence

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ew5cE3XM7fa6er4oU6h = "\"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\fileman.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1952 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3444 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

4912 rundll32.exe
4912 rundll32.exe

pid	process
1952	reg.exe

pid	process
3444	PING.EXE

pid	process
4912	rundll32.exe
4912	rundll32.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

rundll32.execmd.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 2628 wrote to memory of 4228	2628	rundll32.exe	cmd.exe
PID 2628 wrote to memory of 4228	2628	rundll32.exe	cmd.exe
PID 4228 wrote to memory of 3444	4228	cmd.exe	PING.EXE
PID 4228 wrote to memory of 3444	4228	cmd.exe	PING.EXE
PID 4228 wrote to memory of 4912	4228	cmd.exe	rundll32.exe
PID 4228 wrote to memory of 4912	4228	cmd.exe	rundll32.exe
PID 4912 wrote to memory of 888	4912	rundll32.exe	cmd.exe
PID 4912 wrote to memory of 888	4912	rundll32.exe	cmd.exe
PID 888 wrote to memory of 1952	888	cmd.exe	reg.exe
PID 888 wrote to memory of 1952	888	cmd.exe	reg.exe
PID 4912 wrote to memory of 2016	4912	rundll32.exe	cmd.exe
PID 4912 wrote to memory of 2016	4912	rundll32.exe	cmd.exe
PID 2016 wrote to memory of 2160	2016	cmd.exe	choice.exe
PID 2016 wrote to memory of 2160	2016	cmd.exe	choice.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fileman.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 10 -4 -w 1000 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 ZF3bI6aD VI0rr2aG & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10 -4 -w 1000
3⤵
- Runs ping.exe
PID:3444

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 ZF3bI6aD VI0rr2aG
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\system32\cmd.exe
cmd.exe /c reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ew5cE3XM7fa6er4oU6h /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\fileman.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"
4⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\system32\reg.exe
reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v Ew5cE3XM7fa6er4oU6h /t REG_SZ /d "\"C:\Windows\system32\rundll32.exe\" \"C:\Users\Admin\AppData\Local\Temp\fileman.dll\", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6"
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1952

C:\Windows\system32\cmd.exe
cmd /c choice /c y /d y /t 8 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\fileman.dll", #1 ZF3bI6aD VB1Fv2fD4 Ab8pVgqv0yV7sg6 & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\choice.exe
choice /c y /d y /t 8
5⤵
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-135-0x0000000000000000-mapping.dmp

Download
memory/1952-136-0x0000000000000000-mapping.dmp

Download
memory/2016-137-0x0000000000000000-mapping.dmp

Download
memory/2160-138-0x0000000000000000-mapping.dmp

Download
memory/2628-130-0x0000024CA92B0000-0x0000024CA92D0000-memory.dmp

Filesize
128KB

Download
memory/3444-132-0x0000000000000000-mapping.dmp

Download
memory/4228-131-0x0000000000000000-mapping.dmp

Download
memory/4912-133-0x0000000000000000-mapping.dmp

Download
memory/4912-134-0x000002AAA9D50000-0x000002AAA9D70000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing