bazarloader | qbittorrent[.]exe

Resubmissions

03-03-2023 15:38

230303-s3j93ahf3s 10

Sharing

Copy URL

Twitter E-mail

General

Target

qbittorrent.exe
Size

28.3MB
MD5

cb03a80bc17d2d81fd34aab4341e89eb
SHA1

baf0f8686769ae47ed411e8432028057974a1611
SHA256

8e6af6cbd3765b8d8c1dd553354a0d4ff9f7fc2eb293704845af7e66a9ccdb0a
SHA512

f2bc0fefab5c22b9732f506ad47b93108779859f2ba7615c8e0522622cd2587cdb711225d603804f75a28932389b2877ab2f886facbbe5871cd55dc20256bcbe
SSDEEP

393216:keHUAF/9iRC0o+9xU+q7WndIFdU5cqyRZUSfruM4Jsv6tWKFdu9CCoR1:keHUwy9y9Wn+FK5cbfrVor

Score

10^/10

bazarloader

Malware Config

Signatures

Bazar/Team9 Loader payload 1 IoCs

resource	yara_rule
sample	BazarLoaderVar5

Bazarloader family
bazarloader

Files

qbittorrent.exe
.exe windows x64

7dc3762bf412e12afcfe9e5f5372513a

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

powrprof

SetSuspendState

wsock32

WSAGetLastError
htons
htonl
WSACleanup
bind
accept
__WSAFDIsSet
getpeername
ord1141
ord1142
WSAStartup
socket
WSASetLastError
ntohs
setsockopt
inet_ntoa
getsockopt
connect
WSAAsyncSelect
gethostname
closesocket
select
listen
ntohl
getsockname

ws2_32

WSAAccept
WSAHtonl
getaddrinfo
WSANtohl
freeaddrinfo
WSAStringToAddressW
WSAAddressToStringW
WSARecvFrom
WSANtohs
WSASocketW
WSASend
WSAConnect
getnameinfo
WSAIoctl
WSARecv
WSASendTo

iphlpapi

NotifyUnicastIpAddressChange
ConvertInterfaceLuidToGuid
ConvertInterfaceIndexToLuid
ConvertInterfaceNameToLuidW
CancelMibChangeNotify2
GetAdaptersAddresses
ConvertInterfaceLuidToNameW
ConvertInterfaceLuidToIndex

crypt32

CertGetCertificateContextProperty
CertFindCertificateInStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertOpenSystemStoreA
CertCloseStore
CertOpenStore
CertAddCertificateContextToStore
CertFreeCertificateChain
CertGetCertificateChain
CertOpenSystemStoreW
CertCreateCertificateContext
CertDuplicateCertificateContext

kernel32

FindNextFileW
WriteFile
DeviceIoControl
SetEndOfFile
FindClose
LoadLibraryA
GetOverlappedResult
SetFilePointerEx
CreateEventA
CreateWaitableTimerA
GetACP
CancelIoEx
CancelIo
GetModuleHandleA
GetSystemTimeAsFileTime
GlobalMemoryStatusEx
SystemTimeToFileTime
GetSystemTime
GetModuleHandleExW
DeleteFiber
SwitchToFiber
CreateFiber
GetStdHandle
GetEnvironmentVariableW
GetFileType
RtlVirtualUnwind
QueryPerformanceCounter
ConvertFiberToThread
ConvertThreadToFiber
FreeLibrary
SetConsoleMode
ReadConsoleA
GetConsoleMode
ReadConsoleW
DisconnectNamedPipe
WaitNamedPipeW
CreateNamedPipeW
ConnectNamedPipe
ResetEvent
GlobalFree
SetHandleInformation
AreFileApisANSI
TryEnterCriticalSection
HeapCreate
HeapFree
GetFullPathNameW
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
SetFilePointer
GetFullPathNameA
UnlockFileEx
GetTempPathW
GetFileAttributesW
UnmapViewOfFile
HeapValidate
HeapSize
GetTempPathA
GetDiskFreeSpaceA
GetFileAttributesA
OutputDebugStringW
FlushViewOfFile
CreateFileA
WaitForSingleObjectEx
DeleteFileA
HeapReAlloc
GetSystemInfo
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
LockFileEx
GetFileSize
GetProcessHeap
CreateFileMappingW
MapViewOfFile
GetTickCount
FlushFileBuffers
CompareStringEx
GetNativeSystemInfo
FindFirstFileW
IsProcessorFeaturePresent
TerminateProcess
GetEnvironmentStringsW
FreeEnvironmentStringsW
DuplicateHandle
GetExitCodeProcess
GetProcessId
GetLocalTime
CreateThread
SwitchToThread
GetThreadPriority
ResumeThread
QueryPerformanceFrequency
GetTickCount64
GetUserDefaultLCID
GetCurrencyFormatW
GetDateFormatW
GetTimeFormatW
GetUserPreferredUILanguages
RegisterWaitForSingleObject
UnregisterWaitEx
ReadFileEx
PeekNamedPipe
WriteFileEx
GetModuleFileNameW
GetStartupInfoW
OpenFileMappingW
VirtualQuery
TzSpecificLocalTimeToSystemTime
GetVolumePathNamesForVolumeNameW
GetFileInformationByHandleEx
SetFileTime
SetErrorMode
GetLogicalDrives
GetCurrentDirectoryW
MoveFileW
MoveFileExW
FileTimeToSystemTime
FindFirstFileExW
FindFirstChangeNotificationW
FindCloseChangeNotification
FindNextChangeNotification
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceExW
CompareStringW
LCMapStringW
CreateSemaphoreW
ReleaseSemaphore
GetTimeZoneInformation
GetUserGeoID
GetGeoInfoW
VirtualFree
VirtualAlloc
WriteConsoleW
ReadFile
CopyFileW
DeleteFileW
GetFileInformationByHandle
CreateFileW
CreateHardLinkW
RemoveDirectoryW
CreateDirectoryW
GetFileAttributesExW
CreateIoCompletionPort
SleepEx
QueueUserAPC
TerminateThread
SetEvent
CreateEventW
GetQueuedCompletionStatus
InitializeCriticalSectionAndSpinCount
SetLastError
VerifyVersionInfoA
TlsSetValue
InitializeSRWLock
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
SetEnvironmentVariableW
GetOEMCP
TryAcquireSRWLockExclusive
GetLocaleInfoEx
SetFileAttributesW
IsValidCodePage
EnumSystemLocalesW
IsValidLocale
SetWaitableTimer
TlsGetValue
PostQueuedCompletionStatus
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
ExitProcess
GetUserDefaultLangID
lstrcmpW
GlobalSize
CreateProcessW
ExpandEnvironmentStringsW
GlobalUnlock
GlobalLock
GlobalAlloc
GetLocaleInfoW
CheckRemoteDebuggerPresent
OpenProcess
WTSGetActiveConsoleSessionId
GetModuleHandleW
GetCurrentThreadId
GetLongPathNameW
GetVolumeInformationW
GetConsoleWindow
LocalAlloc
SetThreadExecutionState
VerifyVersionInfoW
VerSetConditionMask
GetSystemDirectoryW
GetVolumePathNameW
GetDriveTypeW
MultiByteToWideChar
RtlCaptureStackBackTrace
WaitForMultipleObjects
Sleep
OpenMutexW
CreateMutexW
WaitForSingleObject
ReleaseMutex
GetCurrentProcessId
WideCharToMultiByte
FormatMessageW
FormatMessageA
LocalFree
LoadLibraryW
GetProcAddress
TlsFree
TlsAlloc
SetThreadPriority
GetCurrentThread
GetCurrentProcess
GetLastError
CloseHandle
SetStdHandle
GetCommandLineA
SystemTimeToTzSpecificLocalTime
FreeLibraryAndExitThread
RtlPcToFileHeader
RaiseException
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
InitOnceBeginInitialize
InitOnceComplete
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetExitCodeThread
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionEx
GetFileSizeEx
EncodePointer
DecodePointer
LCMapStringEx
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
RtlUnwindEx
RtlUnwind
LoadLibraryExW
SetConsoleCtrlHandler
GetConsoleOutputCP
ExitThread
GetCommandLineW

user32

GetCursor
GetCursorInfo
CreateCursor
LoadCursorW
SetCursorPos
GetClipboardFormatNameW
TrackMouseEvent
RegisterClipboardFormatW
GetMenuItemInfoW
ModifyMenuW
CreatePopupMenu
TrackPopupMenu
SetMenu
GetAsyncKeyState
GetMessageExtraInfo
GetTouchInputInfo
CloseTouchInputHandle
GetWindowTextW
EnumWindows
RealGetWindowClassW
ChangeWindowMessageFilterEx
GetProcessWindowStation
GetUserObjectInformationW
PostThreadMessageW
KillTimer
GetQueueStatus
SetTimer
RegisterClassW
MsgWaitForMultipleObjectsEx
TranslateMessage
DispatchMessageW
UnregisterDeviceNotification
RegisterDeviceNotificationW
EnumDisplayDevicesW
DestroyMenu
DrawMenuBar
InsertMenuW
RemoveMenu
AppendMenuW
CreateMenu
LoadIconW
GetKeyState
MapVirtualKeyW
GetKeyboardState
SetMenuItemInfoW
PeekMessageW
ToUnicode
TrackPopupMenuEx
IsZoomed
ToAscii
MonitorFromWindow
EnumDisplayMonitors
GetMonitorInfoW
HideCaret
SetCaretPos
CreateCaret
GetKeyboardLayout
IsWindowEnabled
DestroyCaret
ShowCaret
FindWindowA
SetClipboardViewer
IsHungAppWindow
ChangeClipboardChain
GetFocus
UnregisterClassW
ChildWindowFromPointEx
RegisterClassExW
WindowFromPoint
GetClassInfoW
GetKeyboardLayoutList
UnregisterPowerSettingNotification
RegisterPowerSettingNotification
GetSysColorBrush
LoadImageW
GetCursorPos
GetWindowLongW
GetWindowThreadProcessId
DefWindowProcW
AdjustWindowRectEx
IsTouchWindow
PostMessageW
MonitorFromPoint
GetWindow
GetWindowRect
GetMenu
DestroyWindow
IsWindowVisible
SetWindowPos
SetWindowLongPtrW
SetWindowRgn
CreateWindowExW
ScreenToClient
SendMessageW
SetWindowTextW
GetWindowLongPtrW
GetWindowPlacement
DestroyCursor
ShowWindow
GetCapture
RegisterTouchWindow
ClientToScreen
IsChild
SetWindowPlacement
AttachThreadInput
GetForegroundWindow
MoveWindow
UnregisterTouchWindow
SetLayeredWindowAttributes
SetFocus
GetUpdateRect
SetParent
SetCapture
SetCursor
FlashWindowEx
SetWindowLongW
GetClientRect
GetParent
ReleaseCapture
SetForegroundWindow
InvalidateRect
GetAncestor
IsIconic
BeginPaint
EndPaint
MessageBeep
IsWindow
GetDoubleClickTime
GetCaretBlinkTime
GetDesktopWindow
UpdateLayeredWindowIndirect
GetSystemMetrics
GetSysColor
EnableMenuItem
GetSystemMenu
SystemParametersInfoW
DrawIconEx
GetIconInfo
CreateIconIndirect
ReleaseDC
GetDC
MessageBoxW
RegisterWindowMessageW
DestroyIcon
AllowSetForegroundWindow
ShutdownBlockReasonDestroy
ShutdownBlockReasonCreate
CharNextExA
UpdateLayeredWindow

gdi32

CreateDIBSection
CreateBitmap
GetDIBits
GetRegionData
DeleteObject
ExtTextOutW
SetTextAlign
SetBkMode
SetTextColor
GetCharABCWidthsW
GetCharABCWidthsI
GetCharABCWidthsFloatW
GetGlyphOutlineW
SetWorldTransform
SetGraphicsMode
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetTextFaceW
GetStockObject
RemoveFontResourceExW
AddFontResourceExW
GetTextMetricsW
RemoveFontMemResourceEx
AddFontMemResourceEx
EnumFontFamiliesExW
GetFontData
CreateFontIndirectW
GdiFlush
GetBitmapBits
CreateCompatibleBitmap
CreateDCW
GetDeviceCaps
SetLayout
OffsetRgn
SelectClipRgn
BitBlt
SelectObject
DeleteDC
CreateCompatibleDC
CreateRectRgn
CombineRgn
GetObjectW

shell32

SHGetKnownFolderPath
Shell_NotifyIconGetRect
Shell_NotifyIconW
SHCreateItemFromIDList
SHGetPathFromIDListW
SHGetKnownFolderIDList
SHBrowseForFolderW
SHGetMalloc
SHGetStockIconInfo
ord727
SHCreateItemFromParsingName
SHGetFileInfoW
ShellExecuteW
SHOpenFolderAndSelectItems
ord190
ord155
SHChangeNotify
CommandLineToArgvW

ole32

DoDragDrop
OleFlushClipboard
CoGetMalloc
CoGetApartmentType
OleIsCurrentClipboard
OleSetClipboard
OleInitialize
OleUninitialize
RevokeDragDrop
CoLockObjectExternal
RegisterDragDrop
CoInitialize
CoTaskMemFree
StringFromGUID2
CoCreateGuid
CoCreateInstance
CoInitializeEx
ReleaseStgMedium
CoUninitialize
OleGetClipboard
CoGetObjectContext

oleaut32

SafeArrayCreateVector
SafeArrayPutElement
SysFreeString
SysAllocString

advapi32

RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCloseKey
InitiateSystemShutdownW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegDeleteKeyW
RegEnumValueW
RegCreateKeyExW
GetEffectiveRightsFromAclW
AccessCheck
MapGenericMask
LookupAccountSidW
GetNamedSecurityInfoW
DuplicateToken
BuildTrusteeWithSidW
CopySid
SystemFunction036
GetSidSubAuthorityCount
GetSidSubAuthority
RegNotifyChangeKeyValue
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
FreeSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
GetTokenInformation
InitializeSecurityDescriptor
CryptDestroyKey
CryptGetUserKey
CryptAcquireContextW
CryptEnumProvidersW
CryptDecrypt
CryptExportKey
CryptCreateHash
CryptSetHashParam
CryptDestroyHash
CryptSignHashW
CryptGetProvParam
CryptReleaseContext
DeregisterEventSource
RegisterEventSourceW
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
ReportEventW
RegQueryValueExW

mpr

WNetGetUniversalNameW

userenv

GetUserProfileDirectoryW

version

VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW

netapi32

NetApiBufferFree
NetShareEnum

winmm

timeKillEvent
timeSetEvent
PlaySoundW

imm32

ImmGetVirtualKey
ImmNotifyIME
ImmAssociateContextEx
ImmSetCandidateWindow
ImmGetOpenStatus
ImmAssociateContext
ImmGetCompositionStringW
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
ImmGetDefaultIMEWnd

uxtheme

SetWindowTheme
IsThemeBackgroundPartiallyTransparent
GetCurrentThemeName
IsThemeActive
CloseThemeData
GetThemeBackgroundRegion
IsAppThemed
ord47
GetThemeMargins
GetThemeInt
OpenThemeData
GetThemeColor
GetThemePartSize
GetThemeEnumValue
GetThemeTransitionDuration
GetThemePropertyOrigin
GetThemeBool

dwmapi

DwmIsCompositionEnabled
DwmGetWindowAttribute
DwmEnableBlurBehindWindow
DwmSetWindowAttribute

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

dbgeng

DebugCreate

bcrypt

BCryptGenRandom

Sections

.text
Size: 15.6MB - Virtual size: 15.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11.0MB - Virtual size: 11.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 594KB - Virtual size: 701KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 589KB - Virtual size: 589KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.qtmetad
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.qtmimed
Size: 315KB - Virtual size: 315KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 149KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 104KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Resubmissions

Sharing

General

Malware Config

Signatures

Files

7dc3762bf412e12afcfe9e5f5372513a

Headers

DLL Characteristics

File Characteristics

Imports

powrprof

wsock32

ws2_32

iphlpapi

crypt32

kernel32

user32

gdi32

shell32

ole32

oleaut32

advapi32

mpr

userenv

version

netapi32

winmm

imm32

uxtheme

dwmapi

wtsapi32

dbgeng

bcrypt

Sections

.text Size: 15.6MB - Virtual size: 15.6MB

.rdata Size: 11.0MB - Virtual size: 11.0MB

.data Size: 594KB - Virtual size: 701KB

.pdata Size: 589KB - Virtual size: 589KB

_RDATA Size: 512B - Virtual size: 348B

.qtmetad Size: 1KB - Virtual size: 1KB

.qtmimed Size: 315KB - Virtual size: 315KB

.rsrc Size: 149KB - Virtual size: 149KB

.reloc Size: 104KB - Virtual size: 104KB

.text
Size: 15.6MB - Virtual size: 15.6MB

.rdata
Size: 11.0MB - Virtual size: 11.0MB

.data
Size: 594KB - Virtual size: 701KB

.pdata
Size: 589KB - Virtual size: 589KB

_RDATA
Size: 512B - Virtual size: 348B

.qtmetad
Size: 1KB - Virtual size: 1KB

.qtmimed
Size: 315KB - Virtual size: 315KB

.rsrc
Size: 149KB - Virtual size: 149KB

.reloc
Size: 104KB - Virtual size: 104KB