bazarloader | b35e23599a0c1f88bc04a1a656aa158fda2fc46750d810bfe6801f96cdbec0fa

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2023 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file2.dll
Size

1.3MB
MD5

7a8ff582c7e91af4c10019b82ada67b4
SHA1

e2f42f1520058593d93e5378760724f918705b04
SHA256

b35e23599a0c1f88bc04a1a656aa158fda2fc46750d810bfe6801f96cdbec0fa
SHA512

1087afe7168c66e10858e88004d213fa7286cae22b538324045595e637739938ef47273ccc8efda83e84f115d2800b121b18d3ca9241b9f04b386d887b301018
SSDEEP

12288:k63GNTFtSCQ8NLaVhGqEdxtsvoxR6polnJeGek1XAmb/VVyor5M1ITUHAS/JaNq8:dRQZrx1iKn27A0TqD4+

Score

10^/10

bazarloader dropper loader

Malware Config

Extracted

Family

bazarloader

162.33.179.217

45.61.136.110

192.155.90.240

162.33.179.111

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5068 PING.EXE

pid	process
5068	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.execmd.exe

description	pid	process	target process
PID 4380 wrote to memory of 3556	4380	rundll32.exe	cmd.exe
PID 4380 wrote to memory of 3556	4380	rundll32.exe	cmd.exe
PID 3556 wrote to memory of 5068	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 5068	3556	cmd.exe	PING.EXE
PID 3556 wrote to memory of 2480	3556	cmd.exe	rundll32.exe
PID 3556 wrote to memory of 2480	3556	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\file2.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\system32\cmd.exe
  cmd /c ping 127.0.0.1 -n 8 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\file2.dll", #1 ZF3bI6aD VI0rr2aG & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\system32\PING.EXE
    ping 127.0.0.1 -n 8
    3⤵
    - Runs ping.exe
    PID:5068
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\file2.dll", #1 ZF3bI6aD VI0rr2aG
    3⤵
    PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2480-135-0x000002677AB50000-0x000002677ACC4000-memory.dmp

Filesize
1.5MB

Download
memory/4380-133-0x0000026051A70000-0x0000026051BE4000-memory.dmp

Filesize
1.5MB

Download
memory/4380-134-0x0000026051A70000-0x0000026051BE4000-memory.dmp

Filesize
1.5MB

Download