bazarloader | 0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301

Analysis

max time kernel
287s
max time network
50s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-06-2022 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
Size

290KB
MD5

e28ae2f26a165ab891248f17b064f2e7
SHA1

8ac67ed569b4675411c54ac05768eefff853854f
SHA256

0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
SHA512

ba26ca25af0f1a5a5d4ec9c7fa1ba64e395d4c0a44b7803399df7dd50497addaa01ebf65d691c1f0a0a87462f0216aea60b9f4a6b3bffdc7c9743dc9e667c5b6

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Family

bazarloader

144.217.50.242

5.39.63.103

94.140.113.53

185.163.45.95

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1192 timeout.exe

pid	process
1192	timeout.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.execmd.exe

description	pid	process	target process
PID 872 wrote to memory of 988	872	0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe	cmd.exe
PID 872 wrote to memory of 988	872	0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe	cmd.exe
PID 872 wrote to memory of 988	872	0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe	cmd.exe
PID 988 wrote to memory of 1192	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 1192	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 1192	988	cmd.exe	timeout.exe
PID 988 wrote to memory of 772	988	cmd.exe	0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
PID 988 wrote to memory of 772	988	cmd.exe	0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
PID 988 wrote to memory of 772	988	cmd.exe	0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe

C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
"C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\system32\cmd.exe
cmd /c timeout /t 6 /nobreak > NUL & start "" "C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe" wD6bUqfE kO5rG7fD & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\timeout.exe
timeout /t 6 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1192

C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe
"C:\Users\Admin\AppData\Local\Temp\0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301.exe" wD6bUqfE kO5rG7fD
3⤵
PID:772

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-59-0x0000000000000000-mapping.dmp

Download
memory/772-60-0x000007FFFFF90000-0x000007FFFFFAF000-memory.dmp

Filesize
124KB

Download
memory/872-54-0x000007FFFFF90000-0x000007FFFFFAF000-memory.dmp

Filesize
124KB

Download
memory/872-55-0x000007FFFFF90000-0x000007FFFFFAF000-memory.dmp

Filesize
124KB

Download
memory/872-58-0x000007FFFFF90000-0x000007FFFFFAF000-memory.dmp

Filesize
124KB

Download
memory/988-56-0x0000000000000000-mapping.dmp

Download
memory/1192-57-0x0000000000000000-mapping.dmp

Download