bazarloader | 85a19656e73c4a3343b476bc823437a58df84e25a631fb543eb7bf876a9aef31

Analysis

max time kernel
145s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2023 04:44

Target

c457e8760ba768b3a9746831c366ac1a.dll
Size

1.2MB
MD5

c457e8760ba768b3a9746831c366ac1a
SHA1

94fec4b344f00e5f890c6c850743c80f98659a72
SHA256

85a19656e73c4a3343b476bc823437a58df84e25a631fb543eb7bf876a9aef31
SHA512

830bdd275b1d929e892ff4e474cde20550b88f82ac59354f40ecb007eebc04492a512044783559020016002bb81665d5162c638934af95d8ad9aa4566d885dbd
SSDEEP

24576:0Wpc+G43nwqthqmmldpXoQ5IyXdLrgvHmrM:8+n3Hthqm9qgkM

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3384-0-0x000001D3E3410000-0x000001D3E344B000-memory.dmp	BazarLoaderVar5
behavioral2/memory/3384-1-0x00007FFCA8460000-0x00007FFCA85E2000-memory.dmp	BazarLoaderVar5
behavioral2/memory/3384-3-0x000001D3E3410000-0x000001D3E344B000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 11 IoCs

Processes:

rundll32.exe

Tries to connect to .bazar domain 3 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow ioc

74 yellowdownpour81.bazar
56 greencloud46a.bazar
63 whitestorm9p.bazar
Unexpected DNS network traffic destination 3 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 195.10.195.195
Destination IP 195.10.195.195
Destination IP 195.10.195.195
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 49 https://api.opennicproject.org/geoip/?bare&ipv=4

description	flow	ioc
HTTP URL	49	https://api.opennicproject.org/geoip/?bare&ipv=4

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c457e8760ba768b3a9746831c366ac1a.dll,#1
1⤵
- Blocklisted process makes network request
PID:3384

memory/3384-0-0x000001D3E3410000-0x000001D3E344B000-memory.dmp

Filesize
236KB

Download
memory/3384-1-0x00007FFCA8460000-0x00007FFCA85E2000-memory.dmp

Filesize
1.5MB

Download
memory/3384-3-0x000001D3E3410000-0x000001D3E344B000-memory.dmp

Filesize
236KB

Download