bazarloader | 5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

007bazabin.exe
Size

279KB
MD5

86506e4534b7433da308a39b0df63cfa
SHA1

91c9f7410afd1423118b5a76d4eafb074267086e
SHA256

5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341
SHA512

382673ac2b10df3ab0415973a3cea27ce628e1d2e3d2d72da31d980dc548998c7c6311016f2cbf6c347a0c23e90b75672cf408b7979182f45d64786706cf71e1
SSDEEP

6144:ht6D4CrIDlWKKqi7QARrYXJhUnNdeT6t8T6yH5ZLrdiYJtqh7+WJj:hctrYlWIibk5SNdAe8NztqhS2

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1472-135-0x0000000180000000-0x0000000180034000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
111	ewIjavto.bazar
121	onhôygto.bazar
124	ekéíekwa.bazar
143	yzóøwyto.bazar
98	yzhôavon.bazar
114	viv-wywa.bazar
139	viéíavon.bazar
151	vióøekon.bazar
155	udôeavon.bazar
158	onrûygto.bazar
169	virûaver.bazar
104	avóøekon.bazar
136	udðâwyto.bazar
138	mehôaver.bazar
144	ywhôwyon.bazar
154	omIjygto.bazar
102	ywhôyger.bazar
132	ygéíwyto.bazar
140	meóøekto.bazar
175	reéíwyto.bazar
150	evrûygon.bazar
172	soôeavon.bazar
96	yrIjaver.bazar
103	onðâygwa.bazar
108	erðâygto.bazar
137	ekšyygwa.bazar
145	udIjygon.bazar
176	waóøwyto.bazar
89	bestsightsofwildaustralia.bazar
94	yzIjygto.bazar
99	soôewyer.bazar
115	yzhôygto.bazar
153	ekIjavto.bazar
95	ewrûwyto.bazar
105	yrhôavto.bazar
107	virûwywa.bazar
133	omhôyger.bazar
167	yzôeeker.bazar
162	toðâwyon.bazar
163	udIjwyer.bazar
174	waéíavwa.bazar
77	vacationinsydney2021.bazar
100	avðâygwa.bazar
110	rev-avto.bazar
128	ewv-ygwa.bazar
135	ekðâygto.bazar
125	ewóøygto.bazar
164	omhôygto.bazar
173	yzhôekwa.bazar
92	sydneynewtours.bazar
113	sov-avwa.bazar
116	eršyavwa.bazar
120	viv-aver.bazar
129	tohôekto.bazar
165	ewôeavon.bazar
177	ekhôygto.bazar
101	ywv-wyer.bazar
112	virûwyon.bazar
131	ewIjekon.bazar
152	warûavwa.bazar
160	avrûekwa.bazar
171	tov-avon.bazar
122	rerûwyon.bazar
126	meðâwyer.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	45.61.49.203
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	139.177.199.175
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203
Destination IP	104.248.14.193
Destination IP	104.248.14.193
Destination IP	45.61.49.203

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 72 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	flow	ioc
HTTP URL	72	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

C:\Users\Admin\AppData\Local\Temp\007bazabin.exe
"C:\Users\Admin\AppData\Local\Temp\007bazabin.exe"
1⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\007bazabin.exe
C:\Users\Admin\AppData\Local\Temp\007bazabin.exe 461072303
1⤵
PID:4852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-133-0x000002983F750000-0x000002983F753000-memory.dmp

Filesize
12KB

Download
memory/1472-134-0x000002983F760000-0x000002983F762000-memory.dmp

Filesize
8KB

Download
memory/1472-135-0x0000000180000000-0x0000000180034000-memory.dmp

Filesize
208KB

Download