Malware Analysis Report

2024-10-19 02:59

Sample ID 231231-q16deaeghp
Target 3883bba6d366e73e63226f1e842b44e5
SHA256 4e4c7f6c2c9c7b4d73b73b38132dc9972c7d1492d628fe5d4ffb9b105ac84799
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e4c7f6c2c9c7b4d73b73b38132dc9972c7d1492d628fe5d4ffb9b105ac84799

Threat Level: Known bad

The file 3883bba6d366e73e63226f1e842b44e5 was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Tries to connect to .bazar domain

Unexpected DNS network traffic destination

Looks up external IP address via web service

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-31 13:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 13:44

Reported

2024-01-05 09:44

Platform

win7-20231215-en

Max time kernel

142s

Max time network

147s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3883bba6d366e73e63226f1e842b44e5.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A greencloud46a.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 195.10.195.195 N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
HTTP URL https://api.opennicproject.org/geoip/?bare&ipv=4 N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3883bba6d366e73e63226f1e842b44e5.dll

Network

Country Destination Domain Proto
US 52.8.202.218:443 tcp
US 52.8.202.218:443 tcp
US 54.185.61.176:443 tcp
US 54.185.61.176:443 tcp
NL 45.148.120.206:443 tcp
NL 45.148.120.206:443 tcp
DE 45.153.240.189:443 tcp
DE 45.153.240.189:443 tcp
US 8.8.8.8:53 api.opennicproject.org udp
DE 116.203.98.109:443 api.opennicproject.org tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
DE 195.10.195.195:53 greencloud46a.bazar udp
PA 186.73.40.224:443 tcp

Files

memory/2264-0-0x00000000002D0000-0x000000000030E000-memory.dmp

memory/2264-1-0x00000000002D0000-0x000000000030E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab4B26.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4BB5.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3144ed9c535c8bd45da7998a371cfca1
SHA1 08858fc917f748c4b5b98e6a3a05f1ac00f136ac
SHA256 02023c4c819a93adefbbd1aded5821f403ee607b60e4041b2b105bfa75b884f4
SHA512 305f347d211fd0bdd930a5b644996fc227a95f37fe8a6d22a3f332bb8afc43988e8c2dc399350789966e0b87ff5fd04331ababee07648d4dc6e43b5c19f11ede

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 13:44

Reported

2024-01-05 09:58

Platform

win10v2004-20231222-en

Max time kernel

80s

Max time network

133s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3883bba6d366e73e63226f1e842b44e5.dll

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3883bba6d366e73e63226f1e842b44e5.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 52.8.202.218:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 92.123.241.104:80 tcp
US 8.8.8.8:53 udp
N/A 54.185.61.176:443 tcp
N/A 92.123.241.104:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.54.110.119:443 tcp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 23.44.234.16:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 96.17.178.174:80 tcp
N/A 45.148.120.206:443 tcp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.32:80 tcp
N/A 88.221.134.32:80 tcp
N/A 45.153.240.189:443 tcp
US 8.8.8.8:53 udp
GB 96.17.178.194:80 tcp
GB 96.17.178.194:80 tcp
GB 96.17.178.194:80 tcp
US 8.8.8.8:53 udp
N/A 20.223.35.26:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.17:80 tcp
N/A 88.221.134.17:80 tcp
N/A 88.221.134.17:80 tcp
N/A 88.221.134.17:80 tcp
N/A 88.221.134.17:80 tcp
N/A 88.221.134.17:80 tcp

Files

memory/2400-0-0x00000000015F0000-0x000000000162E000-memory.dmp

memory/2400-1-0x00000000015F0000-0x000000000162E000-memory.dmp