bazarloader | b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb

Analysis

max time kernel
109s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2023 07:56

Target

filemanpdf.dll
Size

213KB
MD5

6f3be0dfe6b5971b16464b7924772445
SHA1

8af5e975c00f5bdbd843f644a60adbb5f8da8a0d
SHA256

b51cb6fa584a073fe95bcf8749cf84363cb431f520a5d97cec92aae88329b7cb
SHA512

a1a8d49ec7610c37284a2e9f7409f1f93343c7d9c676985b9a3759388835880e7e376451e89294654cb4fc0f6c6386876896da50347c8bc4a98b80b1825cd5ef
SSDEEP

3072:GmmcI7/mAuyLKfrsP5PUD1jB8pZbiYbrmdwDb2lyZi4oRWLuaW5FxvwR0N:/jI7uzfrkAjBoZ1bRi2JYx

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

2044 PING.EXE

pid	process
2044	PING.EXE

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.execmd.exe

description	pid	process	target process
PID 828 wrote to memory of 3664	828	rundll32.exe	cmd.exe
PID 828 wrote to memory of 3664	828	rundll32.exe	cmd.exe
PID 3664 wrote to memory of 2044	3664	cmd.exe	PING.EXE
PID 3664 wrote to memory of 2044	3664	cmd.exe	PING.EXE
PID 3664 wrote to memory of 2712	3664	cmd.exe	rundll32.exe
PID 3664 wrote to memory of 2712	3664	cmd.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\filemanpdf.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\system32\cmd.exe
cmd /c ping 127.0.0.1 -n 10 -i 38 -4 > NUL & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\filemanpdf.dll", #1 ZF3bI6aD VI0rr2aG & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 10 -i 38 -4
3⤵
- Runs ping.exe
PID:2044

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\filemanpdf.dll", #1 ZF3bI6aD VI0rr2aG
3⤵
PID:2712

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/828-133-0x0000011CF5BF0000-0x0000011CF5C10000-memory.dmp

Filesize
128KB

Download
memory/828-134-0x0000011CF5BF0000-0x0000011CF5C10000-memory.dmp

Filesize
128KB

Download
memory/2712-135-0x0000025906AD0000-0x0000025906AF0000-memory.dmp

Filesize
128KB

Download