Analysis Overview
SHA256
4e4c7f6c2c9c7b4d73b73b38132dc9972c7d1492d628fe5d4ffb9b105ac84799
Threat Level: Known bad
The file 3883bba6d366e73e63226f1e842b44e5 was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazar/Team9 Loader payload
Tries to connect to .bazar domain
Unexpected DNS network traffic destination
Looks up external IP address via web service
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-31 13:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 13:44
Reported
2024-01-05 09:44
Platform
win7-20231215-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | greencloud46a.bazar | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 195.10.195.195 | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| HTTP URL | https://api.opennicproject.org/geoip/?bare&ipv=4 | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3883bba6d366e73e63226f1e842b44e5.dll
Network
| Country | Destination | Domain | Proto |
| US | 52.8.202.218:443 | tcp | |
| US | 52.8.202.218:443 | tcp | |
| US | 54.185.61.176:443 | tcp | |
| US | 54.185.61.176:443 | tcp | |
| NL | 45.148.120.206:443 | tcp | |
| NL | 45.148.120.206:443 | tcp | |
| DE | 45.153.240.189:443 | tcp | |
| DE | 45.153.240.189:443 | tcp | |
| US | 8.8.8.8:53 | api.opennicproject.org | udp |
| DE | 116.203.98.109:443 | api.opennicproject.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| DE | 195.10.195.195:53 | greencloud46a.bazar | udp |
| PA | 186.73.40.224:443 | tcp |
Files
memory/2264-0-0x00000000002D0000-0x000000000030E000-memory.dmp
memory/2264-1-0x00000000002D0000-0x000000000030E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab4B26.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar4BB5.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3144ed9c535c8bd45da7998a371cfca1 |
| SHA1 | 08858fc917f748c4b5b98e6a3a05f1ac00f136ac |
| SHA256 | 02023c4c819a93adefbbd1aded5821f403ee607b60e4041b2b105bfa75b884f4 |
| SHA512 | 305f347d211fd0bdd930a5b644996fc227a95f37fe8a6d22a3f332bb8afc43988e8c2dc399350789966e0b87ff5fd04331ababee07648d4dc6e43b5c19f11ede |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 13:44
Reported
2024-01-05 09:58
Platform
win10v2004-20231222-en
Max time kernel
80s
Max time network
133s
Command Line
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3883bba6d366e73e63226f1e842b44e5.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 52.8.202.218:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 54.185.61.176:443 | tcp | |
| N/A | 92.123.241.104:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.54.110.119:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 23.44.234.16:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 88.221.134.18:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| N/A | 96.17.178.174:80 | tcp | |
| N/A | 45.148.120.206:443 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 88.221.134.32:80 | tcp | |
| N/A | 45.153.240.189:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.194:80 | tcp | |
| GB | 96.17.178.194:80 | tcp | |
| GB | 96.17.178.194:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.223.35.26:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.17:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.134.17:80 | tcp | |
| N/A | 88.221.134.17:80 | tcp | |
| N/A | 88.221.134.17:80 | tcp | |
| N/A | 88.221.134.17:80 | tcp | |
| N/A | 88.221.134.17:80 | tcp | |
| N/A | 88.221.134.17:80 | tcp |
Files
memory/2400-0-0x00000000015F0000-0x000000000162E000-memory.dmp
memory/2400-1-0x00000000015F0000-0x000000000162E000-memory.dmp