Analysis Overview
SHA256
61043e6e6785a73aa964622059e9914aa1305ae8a3bbbf061201c769e139fefa
Threat Level: Known bad
The file 0326acfc5189de754bfc75d2d49114cc was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Tries to connect to .bazar domain
Unexpected DNS network traffic destination
Looks up external IP address via web service
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-25 03:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-25 03:29
Reported
2023-12-26 20:02
Platform
win7-20231215-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | greencloud46a.bazar | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 195.10.195.195 | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0326acfc5189de754bfc75d2d49114cc.dll
Network
| Country | Destination | Domain | Proto |
| US | 52.8.202.218:443 | tcp | |
| US | 52.8.202.218:443 | tcp | |
| US | 54.185.61.176:443 | tcp | |
| US | 54.185.61.176:443 | tcp | |
| NL | 45.148.120.206:443 | tcp | |
| NL | 45.148.120.206:443 | tcp | |
| DE | 45.153.240.189:443 | tcp | |
| DE | 45.153.240.189:443 | tcp | |
| US | 8.8.8.8:53 | api.opennicproject.org | udp |
| DE | 116.203.98.109:443 | api.opennicproject.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 95.101.143.18:80 | apps.identrust.com | tcp |
| DE | 116.203.98.109:443 | api.opennicproject.org | tcp |
| DE | 195.10.195.195:53 | greencloud46a.bazar | udp |
| PA | 186.73.40.224:443 | tcp |
Files
memory/1416-0-0x0000000000690000-0x00000000006CE000-memory.dmp
memory/1416-1-0x0000000000690000-0x00000000006CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3F63.tmp
| MD5 | c259151cc4706a108b2f9cc3dd29767c |
| SHA1 | bd14c4b871abce6491747362226b80fa9d99335f |
| SHA256 | 1a77db2120829851714e50fb21ced3db1dd141e14083d9ce1bcec239085ebef3 |
| SHA512 | a18868f9ebfd1ebf18adc3abde3db0a4957c8f6c26ec04dba4dcc00741d67ef39e36e064f2e6f5245f9ee9c6f7c8b72b36d4a30a64b38ec6f15309a836db18f1 |
C:\Users\Admin\AppData\Local\Temp\Tar413A.tmp
| MD5 | 636461dbfb294086a34a497f2b07c64c |
| SHA1 | bd1ea4b925de947692cb58a3d1226d4eba6b5038 |
| SHA256 | 78a97e860199fb54978ea306a8a3c1a82e8362fea3189e7b05e6aa176ef5272f |
| SHA512 | 03bc62689f517fddbefdcb09c1a09332d51f5e7c4a3ab36eef01a0312ba699a7492ae7512f6f40011a04ed62d97821ba04fffb6dc053c35e89dda29fc9d0af03 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6305066c2f97ab7ad3e2232405a71c06 |
| SHA1 | 9e5187a03d1e5d3700f9a434f1b7559ae3557e9d |
| SHA256 | e23dac4bda04188738e8a3ca43afec1ebb3319a64b9b6c5b399cb5ac2bb30c31 |
| SHA512 | 250f25341552b461689e34f77f1eb18a54964e37e8a09c5bb9d74c606d10574b63a4762adb8bed32285b04e82a7674ec7def93fdc473f9c2a934607b7c789bb8 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-25 03:29
Reported
2023-12-26 20:05
Platform
win10v2004-20231215-en
Max time kernel
173s
Max time network
198s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | greencloud46a.bazar | N/A | N/A |
| N/A | whitestorm9p.bazar | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 195.10.195.195 | N/A | N/A |
| Destination IP | 195.10.195.195 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| HTTP URL | https://api.opennicproject.org/geoip/?bare&ipv=4 | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0326acfc5189de754bfc75d2d49114cc.dll
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 52.8.202.218:443 | tcp | |
| US | 8.8.8.8:53 | 106.27.33.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 54.185.61.176:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| NL | 45.148.120.206:443 | tcp | |
| DE | 45.153.240.189:443 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.opennicproject.org | udp |
| DE | 116.203.98.109:443 | api.opennicproject.org | tcp |
| US | 8.8.8.8:53 | 109.98.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.143.101.95.in-addr.arpa | udp |
| DE | 116.203.98.109:443 | api.opennicproject.org | tcp |
| DE | 195.10.195.195:53 | greencloud46a.bazar | udp |
| PA | 186.73.40.224:443 | tcp | |
| US | 8.8.8.8:53 | 195.195.10.195.in-addr.arpa | udp |
| DE | 195.10.195.195:53 | whitestorm9p.bazar | udp |
| PA | 186.73.40.224:443 | tcp |
Files
memory/2072-0-0x0000000002CD0000-0x0000000002D0E000-memory.dmp
memory/2072-1-0x0000000002CD0000-0x0000000002D0E000-memory.dmp