bazarloader | 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301

Analysis

max time kernel
138s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
01-06-2022 16:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

images.exe
Size

290KB
MD5

e28ae2f26a165ab891248f17b064f2e7
SHA1

8ac67ed569b4675411c54ac05768eefff853854f
SHA256

0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
SHA512

ba26ca25af0f1a5a5d4ec9c7fa1ba64e395d4c0a44b7803399df7dd50497addaa01ebf65d691c1f0a0a87462f0216aea60b9f4a6b3bffdc7c9743dc9e667c5b6

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Family

bazarloader

144.217.50.242

5.39.63.103

94.140.113.53

185.163.45.95

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

220 PING.EXE

pid	process
220	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

images.execmd.exe

description	pid	process	target process
PID 4592 wrote to memory of 1500	4592	images.exe	cmd.exe
PID 4592 wrote to memory of 1500	4592	images.exe	cmd.exe
PID 1500 wrote to memory of 220	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 220	1500	cmd.exe	PING.EXE
PID 1500 wrote to memory of 3588	1500	cmd.exe	images.exe
PID 1500 wrote to memory of 3588	1500	cmd.exe	images.exe

C:\Users\Admin\AppData\Local\Temp\images.exe
"C:\Users\Admin\AppData\Local\Temp\images.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592

C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 127.0.0.1 -n 10 -w 1000 & start "" "C:\Users\Admin\AppData\Local\Temp\images.exe" ZF3bI6aD VI0rr2aG & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10 -w 1000
3⤵
- Runs ping.exe
PID:220

C:\Users\Admin\AppData\Local\Temp\images.exe
"C:\Users\Admin\AppData\Local\Temp\images.exe" ZF3bI6aD VI0rr2aG
3⤵
PID:3588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/220-132-0x0000000000000000-mapping.dmp

Download
memory/1500-131-0x0000000000000000-mapping.dmp

Download
memory/3588-134-0x0000000000000000-mapping.dmp

Download
memory/3588-135-0x00007FF485EF0000-0x00007FF485F0F000-memory.dmp

Filesize
124KB

Download
memory/4592-130-0x00007FF4DAC50000-0x00007FF4DAC6F000-memory.dmp

Filesize
124KB

Download
memory/4592-133-0x00007FF4DAC50000-0x00007FF4DAC6F000-memory.dmp

Filesize
124KB

Download