bazarloader | 282c8bb556eb3e2bf22836785ff04ebd1edab6cc36714f3b5a95dca9b9136767 | Triage

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2023 05:15

Sharing

Report Analysis Logs

General

Target

0734500b39c49a7d1540a078cf764ae6.dll
Size

1.2MB
MD5

0734500b39c49a7d1540a078cf764ae6
SHA1

5b7ff496d9761d73cfd1bfa6bad26c0a752e3f9b
SHA256

282c8bb556eb3e2bf22836785ff04ebd1edab6cc36714f3b5a95dca9b9136767
SHA512

b155422f255acfc434db72ce3136a6c4089f9377d75811c5275a7a9ae3201bbdb0f817e15f5e215b5e6766d6161978707fcbd2d6909880a8203e992fc2905f36
SSDEEP

24576:rHvFVj8+YADTpPIeVCMaKoUo5/IyXZHa/K:/Y+YuTpPVPBwb

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4124-0-0x0000000027700000-0x000000002773E000-memory.dmp	BazarLoaderVar5
behavioral2/memory/4124-1-0x00007FFCA1370000-0x00007FFCA14F1000-memory.dmp	BazarLoaderVar5
behavioral2/memory/4124-3-0x0000000027700000-0x000000002773E000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 6 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

76 whitestorm9p.bazar
77 whitestorm9p.bazar
79 yellowdownpour81.bazar
80 yellowdownpour81.bazar
69 greencloud46a.bazar
70 greencloud46a.bazar

Unexpected DNS network traffic destination 6 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	195.10.195.195
Destination IP	195.10.195.195
Destination IP	194.36.144.87
Destination IP	194.36.144.87
Destination IP	195.10.195.195
Destination IP	194.36.144.87

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 63 https://api.opennicproject.org/geoip/?bare&ipv=4
HTTP URL 68 https://api.opennicproject.org/geoip/?bare&ipv=4

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\0734500b39c49a7d1540a078cf764ae6.dll
1⤵
PID:4124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4124-0-0x0000000027700000-0x000000002773E000-memory.dmp

Filesize
248KB

Download
memory/4124-1-0x00007FFCA1370000-0x00007FFCA14F1000-memory.dmp

Filesize
1.5MB

Download
memory/4124-3-0x0000000027700000-0x000000002773E000-memory.dmp

Filesize
248KB

Download