Malware Analysis Report

2024-10-23 17:37

Sample ID 231225-d2ewmabfh5
Target 0326acfc5189de754bfc75d2d49114cc
SHA256 61043e6e6785a73aa964622059e9914aa1305ae8a3bbbf061201c769e139fefa
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

61043e6e6785a73aa964622059e9914aa1305ae8a3bbbf061201c769e139fefa

Threat Level: Known bad

The file 0326acfc5189de754bfc75d2d49114cc was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Tries to connect to .bazar domain

Unexpected DNS network traffic destination

Looks up external IP address via web service

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-25 03:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 03:29

Reported

2023-12-26 20:02

Platform

win7-20231215-en

Max time kernel

140s

Max time network

150s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0326acfc5189de754bfc75d2d49114cc.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A greencloud46a.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 195.10.195.195 N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0326acfc5189de754bfc75d2d49114cc.dll

Network

Country Destination Domain Proto
US 52.8.202.218:443 tcp
US 52.8.202.218:443 tcp
US 54.185.61.176:443 tcp
US 54.185.61.176:443 tcp
NL 45.148.120.206:443 tcp
NL 45.148.120.206:443 tcp
DE 45.153.240.189:443 tcp
DE 45.153.240.189:443 tcp
US 8.8.8.8:53 api.opennicproject.org udp
DE 116.203.98.109:443 api.opennicproject.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 95.101.143.18:80 apps.identrust.com tcp
DE 116.203.98.109:443 api.opennicproject.org tcp
DE 195.10.195.195:53 greencloud46a.bazar udp
PA 186.73.40.224:443 tcp

Files

memory/1416-0-0x0000000000690000-0x00000000006CE000-memory.dmp

memory/1416-1-0x0000000000690000-0x00000000006CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3F63.tmp

MD5 c259151cc4706a108b2f9cc3dd29767c
SHA1 bd14c4b871abce6491747362226b80fa9d99335f
SHA256 1a77db2120829851714e50fb21ced3db1dd141e14083d9ce1bcec239085ebef3
SHA512 a18868f9ebfd1ebf18adc3abde3db0a4957c8f6c26ec04dba4dcc00741d67ef39e36e064f2e6f5245f9ee9c6f7c8b72b36d4a30a64b38ec6f15309a836db18f1

C:\Users\Admin\AppData\Local\Temp\Tar413A.tmp

MD5 636461dbfb294086a34a497f2b07c64c
SHA1 bd1ea4b925de947692cb58a3d1226d4eba6b5038
SHA256 78a97e860199fb54978ea306a8a3c1a82e8362fea3189e7b05e6aa176ef5272f
SHA512 03bc62689f517fddbefdcb09c1a09332d51f5e7c4a3ab36eef01a0312ba699a7492ae7512f6f40011a04ed62d97821ba04fffb6dc053c35e89dda29fc9d0af03

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6305066c2f97ab7ad3e2232405a71c06
SHA1 9e5187a03d1e5d3700f9a434f1b7559ae3557e9d
SHA256 e23dac4bda04188738e8a3ca43afec1ebb3319a64b9b6c5b399cb5ac2bb30c31
SHA512 250f25341552b461689e34f77f1eb18a54964e37e8a09c5bb9d74c606d10574b63a4762adb8bed32285b04e82a7674ec7def93fdc473f9c2a934607b7c789bb8

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 03:29

Reported

2023-12-26 20:05

Platform

win10v2004-20231215-en

Max time kernel

173s

Max time network

198s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0326acfc5189de754bfc75d2d49114cc.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A greencloud46a.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 195.10.195.195 N/A N/A
Destination IP 195.10.195.195 N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
HTTP URL https://api.opennicproject.org/geoip/?bare&ipv=4 N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0326acfc5189de754bfc75d2d49114cc.dll

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 83.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 52.8.202.218:443 tcp
US 8.8.8.8:53 106.27.33.23.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 54.185.61.176:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
NL 45.148.120.206:443 tcp
DE 45.153.240.189:443 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 api.opennicproject.org udp
DE 116.203.98.109:443 api.opennicproject.org tcp
US 8.8.8.8:53 109.98.203.116.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 27.143.101.95.in-addr.arpa udp
DE 116.203.98.109:443 api.opennicproject.org tcp
DE 195.10.195.195:53 greencloud46a.bazar udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 195.195.10.195.in-addr.arpa udp
DE 195.10.195.195:53 whitestorm9p.bazar udp
PA 186.73.40.224:443 tcp

Files

memory/2072-0-0x0000000002CD0000-0x0000000002D0E000-memory.dmp

memory/2072-1-0x0000000002CD0000-0x0000000002D0E000-memory.dmp