bazarloader | 5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007-baza.exe
Size

279KB
MD5

86506e4534b7433da308a39b0df63cfa
SHA1

91c9f7410afd1423118b5a76d4eafb074267086e
SHA256

5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341
SHA512

382673ac2b10df3ab0415973a3cea27ce628e1d2e3d2d72da31d980dc548998c7c6311016f2cbf6c347a0c23e90b75672cf408b7979182f45d64786706cf71e1
SSDEEP

6144:ht6D4CrIDlWKKqi7QARrYXJhUnNdeT6t8T6yH5ZLrdiYJtqh7+WJj:hctrYlWIibk5SNdAe8NztqhS2

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2532-135-0x0000000180000000-0x0000000180034000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
124	ywvaygwa.bazar
111	yrvaekto.bazar
87	mezyekon.bazar
90	yzyþaver.bazar
100	wyadavon.bazar
128	ev®avto.bazar
138	ew®wyon.bazar
141	yzwuyger.bazar
151	tozuygwa.bazar
53	vacationinsydney2021.bazar
160	ygotwyto.bazar
159	om®ygto.bazar
101	waytavon.bazar
104	omwuekon.bazar
153	ek®wywa.bazar
95	reubwywa.bazar
134	mewuwyto.bazar
139	re®wywa.bazar
148	wyvowyto.bazar
164	sovoygon.bazar
168	sozywyon.bazar
115	yzubwywa.bazar
149	vizywywa.bazar
150	yr®ygon.bazar
158	yzhvwyon.bazar
108	onhywyer.bazar
92	ywzuavto.bazar
98	rehyekto.bazar
118	omhvyger.bazar
127	udyþekon.bazar
85	yradekwa.bazar
126	ewhvwyon.bazar
137	mezuekto.bazar
146	wyzuavto.bazar
123	tohyekwa.bazar
91	yrkaeker.bazar
107	wyubwywa.bazar
74	bestsightsofwildaustralia.bazar
116	tohyygon.bazar
119	ommiygwa.bazar
125	ewhvwyon.bazar
144	avvaygon.bazar
167	omubwywa.bazar
112	yzmiwywa.bazar
93	eryþwyto.bazar
96	ewzyavto.bazar
122	ekubygto.bazar
143	yghvwyon.bazar
147	wyvowyto.bazar
152	meytekon.bazar
154	omkawywa.bazar
89	evyþekwa.bazar
109	ekwuwyto.bazar
103	ywytekon.bazar
120	mewuyger.bazar
130	ewzaaver.bazar
140	udzywyto.bazar
145	wahywyto.bazar
157	onotavto.bazar
162	ygotavto.bazar
110	yrwuwyto.bazar
117	rehvygon.bazar
121	ywwuwyto.bazar
165	ygytygon.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	45.61.49.203

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 45 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	flow	ioc
HTTP URL	45	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

C:\Users\Admin\AppData\Local\Temp\007-baza.exe
"C:\Users\Admin\AppData\Local\Temp\007-baza.exe"
1⤵
PID:2532

C:\Users\Admin\AppData\Local\Temp\007-baza.exe
C:\Users\Admin\AppData\Local\Temp\007-baza.exe 1555927205
1⤵
PID:4412

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-133-0x0000023219800000-0x0000023219803000-memory.dmp

Filesize
12KB

Download
memory/2532-134-0x0000023219840000-0x0000023219842000-memory.dmp

Filesize
8KB

Download
memory/2532-135-0x0000000180000000-0x0000000180034000-memory.dmp

Filesize
208KB

Download