bazarloader | 8fccef8c77091c260d0926d4ebe9ee80d79be2262360679a4d59c2a6efeca7ab

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 04:48

Target

0f003a54e0e52efd49c31376687eac41.dll
Size

338KB
MD5

0f003a54e0e52efd49c31376687eac41
SHA1

3f2cd9ca8778d2814fa6e32b1827db2f57b25e6c
SHA256

8fccef8c77091c260d0926d4ebe9ee80d79be2262360679a4d59c2a6efeca7ab
SHA512

ad8530a5df15895f813935bc6fea24a6c11ebf5733f2d99cb6a5b2cbfa9e4d220965e7e2c087659e51b31916a51fdfeca3536c065a561a2c9fed382c9795d059
SSDEEP

6144:uZwKn8bxurvfUCEs7I4V2PsqHMc/PZ6RguROla0CWecIdn9TCwC6dT:zTbxuLfUCR2kQMgZ6W4OIePAT

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4648-0-0x00000177E64C0000-0x00000177E66BA000-memory.dmp	BazarLoaderVar5
behavioral2/memory/4648-1-0x00000177E64C0000-0x00000177E66BA000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 16 IoCs

Processes:

rundll32.exe

Tries to connect to .bazar domain 10 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

Unexpected DNS network traffic destination 10 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0f003a54e0e52efd49c31376687eac41.dll,#1
1⤵
- Blocklisted process makes network request
PID:4648

memory/4648-0-0x00000177E64C0000-0x00000177E66BA000-memory.dmp

Filesize
2.0MB

Download
memory/4648-1-0x00000177E64C0000-0x00000177E66BA000-memory.dmp

Filesize
2.0MB

Download