bazarloader | qbittorrent_JC[.]exe

Sharing

Copy URL

Twitter E-mail

General

Target

qbittorrent_JC.exe
Size

28.5MB
MD5

299af9fcfb3067e8f5f64f0866c8fe33
SHA1

5244f3c95dbee3c29c4171899a1a158087419f59
SHA256

aacf4cc8c1591d4a5aeb1d1c32be0c0211fa593a3a4c5107f906a3910fdb6c34
SHA512

35598c4d22d29acec1f98fc61cb5e7ca8d3f281bb0ef586c0f1735497fcba4b714f8f5ab2c539cef8b843b35151e0516acd18724c04160c5cddd642cd754ebd2
SSDEEP

393216:RkIcS07+VMtn8jqbXRWspXwqBuoCef5RH/Z8TKJsv6tWKFdu9CeCbF:RkIkSW9XwquopH/ZuIF

Score

10^/10

bazarloader

Malware Config

Signatures

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource yara_rule

sample BazarLoaderVar5
Bazarloader family
bazarloader
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

qbittorrent_JC.exe

resource	yara_rule
sample	BazarLoaderVar5

resource
qbittorrent_JC.exe

Files

qbittorrent_JC.exe
.exe windows x64

a40bfbcdcf64f0eb989ef6c078effc57

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

powrprof

SetSuspendState

wsock32

WSAGetLastError
htons
htonl
WSACleanup
bind
accept
__WSAFDIsSet
getpeername
ord1141
ord1142
WSAStartup
socket
WSASetLastError
ntohs
setsockopt
inet_ntoa
getsockopt
connect
getsockname
listen
select
WSAAsyncSelect
gethostname
ntohl
closesocket

ws2_32

WSASend
WSASocketW
getaddrinfo
WSAAccept
freeaddrinfo
WSAStringToAddressW
WSAAddressToStringW
WSARecvFrom
WSAConnect
WSANtohl
WSANtohs
WSAHtonl
getnameinfo
WSAIoctl
WSARecv
WSASendTo

iphlpapi

NotifyUnicastIpAddressChange
ConvertInterfaceLuidToGuid
ConvertInterfaceIndexToLuid
ConvertInterfaceNameToLuidW
CancelMibChangeNotify2
GetAdaptersAddresses
ConvertInterfaceLuidToNameW
ConvertInterfaceLuidToIndex

crypt32

CertGetCertificateContextProperty
CertFindCertificateInStore
CertEnumCertificatesInStore
CertFreeCertificateContext
CertOpenSystemStoreA
CertCloseStore
CertOpenStore
CertAddCertificateContextToStore
CertFreeCertificateChain
CertGetCertificateChain
CertOpenSystemStoreW
CertCreateCertificateContext
CertDuplicateCertificateContext

kernel32

WriteFile
DeviceIoControl
SetEndOfFile
FindClose
LoadLibraryA
GetOverlappedResult
SetFilePointerEx
CreateEventA
CreateWaitableTimerA
GetACP
CancelIoEx
CancelIo
GetModuleHandleA
GetSystemTimeAsFileTime
GlobalMemoryStatusEx
SystemTimeToFileTime
GetSystemTime
GetModuleHandleExW
DeleteFiber
SwitchToFiber
CreateFiber
GetStdHandle
GetEnvironmentVariableW
GetFileType
RtlVirtualUnwind
QueryPerformanceCounter
ConvertFiberToThread
ConvertThreadToFiber
FreeLibrary
SetConsoleMode
ReadConsoleA
GetConsoleMode
ReadConsoleW
DisconnectNamedPipe
WaitNamedPipeW
CreateNamedPipeW
ConnectNamedPipe
ResetEvent
GlobalFree
SetHandleInformation
AreFileApisANSI
TryEnterCriticalSection
HeapCreate
HeapFree
GetFullPathNameW
GetDiskFreeSpaceW
OutputDebugStringA
LockFile
SetFilePointer
GetFullPathNameA
UnlockFileEx
GetTempPathW
GetFileAttributesW
UnmapViewOfFile
HeapValidate
HeapSize
GetTempPathA
GetDiskFreeSpaceA
GetFileAttributesA
OutputDebugStringW
FlushViewOfFile
CreateFileA
WaitForSingleObjectEx
DeleteFileA
HeapReAlloc
GetSystemInfo
HeapAlloc
HeapCompact
HeapDestroy
UnlockFile
LockFileEx
GetFileSize
GetProcessHeap
CreateFileMappingW
MapViewOfFile
GetTickCount
FlushFileBuffers
CompareStringEx
GetNativeSystemInfo
GetCommandLineW
IsProcessorFeaturePresent
GetFileSizeEx
GetEnvironmentStringsW
FreeEnvironmentStringsW
DuplicateHandle
GetExitCodeProcess
GetProcessId
GetLocalTime
CreateThread
SwitchToThread
GetThreadPriority
ResumeThread
QueryPerformanceFrequency
GetTickCount64
GetUserDefaultLCID
GetCurrencyFormatW
GetDateFormatW
GetTimeFormatW
GetUserPreferredUILanguages
RegisterWaitForSingleObject
UnregisterWaitEx
ReadFileEx
PeekNamedPipe
WriteFileEx
GetModuleFileNameW
GetStartupInfoW
OpenFileMappingW
VirtualQuery
TzSpecificLocalTimeToSystemTime
GetVolumePathNamesForVolumeNameW
GetFileInformationByHandleEx
SetFileTime
SetErrorMode
GetLogicalDrives
GetCurrentDirectoryW
MoveFileW
MoveFileExW
FileTimeToSystemTime
FindFirstFileExW
FindFirstChangeNotificationW
FindCloseChangeNotification
FindNextChangeNotification
GetVolumeNameForVolumeMountPointW
GetDiskFreeSpaceExW
CompareStringW
LCMapStringW
CreateSemaphoreW
ReleaseSemaphore
GetTimeZoneInformation
GetUserGeoID
GetGeoInfoW
VirtualFree
VirtualAlloc
WriteConsoleW
FindFirstFileW
ReadFile
CopyFileW
DeleteFileW
GetFileInformationByHandle
CreateFileW
CreateHardLinkW
RemoveDirectoryW
GetLocaleInfoEx
CreateDirectoryW
GetFileAttributesExW
CreateIoCompletionPort
SleepEx
QueueUserAPC
TerminateThread
SetEvent
CreateEventW
GetQueuedCompletionStatus
InitializeCriticalSectionAndSpinCount
SetLastError
TlsSetValue
SetFileAttributesW
SetEnvironmentVariableW
GetOEMCP
RtlPcToFileHeader
RaiseException
InitializeSRWLock
IsValidCodePage
ReleaseSRWLockExclusive
AcquireSRWLockExclusive
TryAcquireSRWLockExclusive
EnumSystemLocalesW
IsValidLocale
SetWaitableTimer
TlsGetValue
PostQueuedCompletionStatus
DeleteCriticalSection
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
ExitProcess
GetUserDefaultLangID
lstrcmpW
GlobalSize
CreateProcessW
ExpandEnvironmentStringsW
GlobalUnlock
GlobalLock
GlobalAlloc
GetLocaleInfoW
CheckRemoteDebuggerPresent
OpenProcess
WTSGetActiveConsoleSessionId
GetModuleHandleW
GetCurrentThreadId
GetLongPathNameW
GetVolumeInformationW
GetConsoleWindow
LocalAlloc
SetThreadExecutionState
VerifyVersionInfoW
VerSetConditionMask
GetSystemDirectoryW
GetVolumePathNameW
GetDriveTypeW
MultiByteToWideChar
RtlCaptureStackBackTrace
WaitForMultipleObjects
Sleep
OpenMutexW
CreateMutexW
WaitForSingleObject
ReleaseMutex
GetCurrentProcessId
WideCharToMultiByte
FormatMessageW
FormatMessageA
LocalFree
LoadLibraryW
GetProcAddress
TlsFree
TlsAlloc
SetThreadPriority
GetCurrentThread
GetCurrentProcess
GetLastError
CloseHandle
SetStdHandle
GetCommandLineA
SystemTimeToTzSpecificLocalTime
FreeLibraryAndExitThread
InitializeConditionVariable
WakeConditionVariable
WakeAllConditionVariable
SleepConditionVariableSRW
InitOnceBeginInitialize
InitOnceComplete
FreeLibraryWhenCallbackReturns
CreateThreadpoolWork
SubmitThreadpoolWork
CloseThreadpoolWork
GetExitCodeThread
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
InitializeCriticalSectionEx
FindNextFileW
EncodePointer
DecodePointer
LCMapStringEx
GetStringTypeW
GetCPInfo
RtlCaptureContext
RtlLookupFunctionEntry
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
InitializeSListHead
RtlUnwindEx
RtlUnwind
LoadLibraryExW
SetConsoleCtrlHandler
GetConsoleOutputCP
ExitThread
TerminateProcess

user32

GetCursor
GetCursorInfo
CreateCursor
LoadCursorW
TrackMouseEvent
GetClipboardFormatNameW
EnumDisplayDevicesW
RegisterClipboardFormatW
GetMenuItemInfoW
ModifyMenuW
GetAsyncKeyState
GetMessageExtraInfo
GetTouchInputInfo
CloseTouchInputHandle
GetWindowTextW
EnumWindows
RealGetWindowClassW
ChangeWindowMessageFilterEx
GetProcessWindowStation
GetUserObjectInformationW
PostThreadMessageW
KillTimer
GetQueueStatus
SetTimer
RegisterClassW
MsgWaitForMultipleObjectsEx
TranslateMessage
DispatchMessageW
UnregisterDeviceNotification
RegisterDeviceNotificationW
SetCursorPos
CreatePopupMenu
TrackPopupMenu
SetMenu
DestroyMenu
DrawMenuBar
InsertMenuW
RemoveMenu
AppendMenuW
CreateMenu
LoadIconW
GetKeyState
MapVirtualKeyW
GetKeyboardState
SetMenuItemInfoW
PeekMessageW
ToUnicode
TrackPopupMenuEx
IsZoomed
ToAscii
MonitorFromWindow
EnumDisplayMonitors
GetMonitorInfoW
HideCaret
SetCaretPos
CreateCaret
GetKeyboardLayout
IsWindowEnabled
DestroyCaret
ShowCaret
FindWindowA
SetClipboardViewer
IsHungAppWindow
ChangeClipboardChain
GetFocus
UnregisterClassW
ChildWindowFromPointEx
RegisterClassExW
WindowFromPoint
GetClassInfoW
GetKeyboardLayoutList
UnregisterPowerSettingNotification
RegisterPowerSettingNotification
GetSysColorBrush
LoadImageW
GetCursorPos
GetWindowLongW
GetWindowThreadProcessId
DefWindowProcW
AdjustWindowRectEx
IsTouchWindow
PostMessageW
MonitorFromPoint
GetWindow
GetWindowRect
GetMenu
DestroyWindow
IsWindowVisible
SetWindowPos
SetWindowLongPtrW
SetWindowRgn
CreateWindowExW
ScreenToClient
SendMessageW
SetWindowTextW
GetWindowLongPtrW
GetWindowPlacement
DestroyCursor
ShowWindow
GetCapture
RegisterTouchWindow
ClientToScreen
IsChild
SetWindowPlacement
AttachThreadInput
GetForegroundWindow
MoveWindow
UnregisterTouchWindow
SetLayeredWindowAttributes
SetFocus
GetUpdateRect
SetParent
SetCapture
SetCursor
FlashWindowEx
GetClientRect
UpdateLayeredWindow
GetParent
ReleaseCapture
SetForegroundWindow
InvalidateRect
GetAncestor
IsIconic
BeginPaint
EndPaint
MessageBeep
IsWindow
GetDoubleClickTime
GetCaretBlinkTime
GetDesktopWindow
UpdateLayeredWindowIndirect
GetSystemMetrics
GetSysColor
EnableMenuItem
GetSystemMenu
SystemParametersInfoW
DrawIconEx
GetIconInfo
CreateIconIndirect
ReleaseDC
GetDC
MessageBoxW
RegisterWindowMessageW
DestroyIcon
AllowSetForegroundWindow
ShutdownBlockReasonDestroy
ShutdownBlockReasonCreate
CharNextExA
SetWindowLongW

gdi32

DeleteDC
CreateCompatibleDC
GetObjectW
CreateDIBSection
CreateBitmap
ExtTextOutW
SetTextAlign
SetBkMode
SetTextColor
GetCharABCWidthsW
GetCharABCWidthsI
GetCharABCWidthsFloatW
GetGlyphOutlineW
SetWorldTransform
SetGraphicsMode
GetTextExtentPoint32W
GetOutlineTextMetricsW
GetTextFaceW
GetStockObject
RemoveFontResourceExW
AddFontResourceExW
GetTextMetricsW
RemoveFontMemResourceEx
AddFontMemResourceEx
EnumFontFamiliesExW
GetFontData
CreateFontIndirectW
GdiFlush
GetBitmapBits
CreateCompatibleBitmap
CreateDCW
GetDeviceCaps
SetLayout
OffsetRgn
SelectClipRgn
BitBlt
CreateRectRgn
CombineRgn
DeleteObject
GetRegionData
GetDIBits
SelectObject

shell32

SHGetKnownFolderPath
Shell_NotifyIconGetRect
Shell_NotifyIconW
SHCreateItemFromIDList
SHGetPathFromIDListW
SHGetKnownFolderIDList
SHBrowseForFolderW
SHGetMalloc
SHGetStockIconInfo
ord727
SHCreateItemFromParsingName
SHGetFileInfoW
ShellExecuteW
SHOpenFolderAndSelectItems
ord190
ord155
SHChangeNotify
CommandLineToArgvW

ole32

DoDragDrop
OleFlushClipboard
CoGetMalloc
CoGetApartmentType
OleIsCurrentClipboard
OleSetClipboard
OleInitialize
OleUninitialize
RevokeDragDrop
CoLockObjectExternal
RegisterDragDrop
CoInitialize
CoTaskMemFree
StringFromGUID2
CoCreateGuid
CoCreateInstance
CoInitializeEx
ReleaseStgMedium
CoUninitialize
OleGetClipboard
CoGetObjectContext

oleaut32

SafeArrayCreateVector
SafeArrayPutElement
SysFreeString
SysAllocString

advapi32

RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCloseKey
InitiateSystemShutdownW
RegFlushKey
RegSetValueExW
RegDeleteValueW
RegDeleteKeyW
RegEnumValueW
RegCreateKeyExW
GetEffectiveRightsFromAclW
AccessCheck
MapGenericMask
LookupAccountSidW
GetNamedSecurityInfoW
DuplicateToken
BuildTrusteeWithSidW
CopySid
SystemFunction036
GetSidSubAuthorityCount
GetSidSubAuthority
RegNotifyChangeKeyValue
SetSecurityDescriptorDacl
SetSecurityDescriptorGroup
SetSecurityDescriptorOwner
FreeSid
AddAccessAllowedAce
InitializeAcl
GetLengthSid
AllocateAndInitializeSid
GetTokenInformation
InitializeSecurityDescriptor
CryptDestroyKey
CryptGetUserKey
CryptAcquireContextW
CryptEnumProvidersW
CryptDecrypt
CryptExportKey
CryptCreateHash
CryptSetHashParam
CryptDestroyHash
CryptSignHashW
CryptGetProvParam
CryptReleaseContext
DeregisterEventSource
RegisterEventSourceW
LookupPrivilegeValueW
AdjustTokenPrivileges
OpenProcessToken
ReportEventW
RegQueryValueExW

mpr

WNetGetUniversalNameW

userenv

GetUserProfileDirectoryW

version

GetFileVersionInfoW
VerQueryValueW
GetFileVersionInfoSizeW

netapi32

NetApiBufferFree
NetShareEnum

winmm

PlaySoundW
timeKillEvent
timeSetEvent

imm32

ImmNotifyIME
ImmAssociateContextEx
ImmSetCandidateWindow
ImmGetOpenStatus
ImmAssociateContext
ImmGetCompositionStringW
ImmSetCompositionWindow
ImmReleaseContext
ImmGetContext
ImmGetDefaultIMEWnd
ImmGetVirtualKey

uxtheme

IsThemeActive
GetCurrentThemeName
GetThemeBackgroundRegion
SetWindowTheme
IsAppThemed
GetThemeMargins
GetThemeInt
OpenThemeData
GetThemeColor
GetThemePartSize
GetThemeEnumValue
GetThemeTransitionDuration
GetThemePropertyOrigin
GetThemeBool
ord47
CloseThemeData
IsThemeBackgroundPartiallyTransparent

dwmapi

DwmIsCompositionEnabled
DwmGetWindowAttribute
DwmEnableBlurBehindWindow
DwmSetWindowAttribute

wtsapi32

WTSFreeMemory
WTSQuerySessionInformationW

dbgeng

DebugCreate

bcrypt

BCryptGenRandom

Sections

.text
Size: 15.6MB - Virtual size: 15.6MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 11.2MB - Virtual size: 11.2MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 594KB - Virtual size: 700KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 590KB - Virtual size: 589KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

_RDATA
Size: 512B - Virtual size: 348B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.qtmetad
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.qtmimed
Size: 315KB - Virtual size: 315KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 149KB - Virtual size: 149KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 104KB - Virtual size: 104KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

a40bfbcdcf64f0eb989ef6c078effc57

Headers

DLL Characteristics

File Characteristics

Imports

powrprof

wsock32

ws2_32

iphlpapi

crypt32

kernel32

user32

gdi32

shell32

ole32

oleaut32

advapi32

mpr

userenv

version

netapi32

winmm

imm32

uxtheme

dwmapi

wtsapi32

dbgeng

bcrypt

Sections

.text Size: 15.6MB - Virtual size: 15.6MB

.rdata Size: 11.2MB - Virtual size: 11.2MB

.data Size: 594KB - Virtual size: 700KB

.pdata Size: 590KB - Virtual size: 589KB

_RDATA Size: 512B - Virtual size: 348B

.qtmetad Size: 1KB - Virtual size: 1KB

.qtmimed Size: 315KB - Virtual size: 315KB

.rsrc Size: 149KB - Virtual size: 149KB

.reloc Size: 104KB - Virtual size: 104KB

.text
Size: 15.6MB - Virtual size: 15.6MB

.rdata
Size: 11.2MB - Virtual size: 11.2MB

.data
Size: 594KB - Virtual size: 700KB

.pdata
Size: 590KB - Virtual size: 589KB

_RDATA
Size: 512B - Virtual size: 348B

.qtmetad
Size: 1KB - Virtual size: 1KB

.qtmimed
Size: 315KB - Virtual size: 315KB

.rsrc
Size: 149KB - Virtual size: 149KB

.reloc
Size: 104KB - Virtual size: 104KB