Malware Analysis Report

2024-10-19 02:59

Sample ID 240106-q45laahehr
Target 4663bba7172a24a9a46a1e2b8d1ed0df
SHA256 a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6

Threat Level: Known bad

The file 4663bba7172a24a9a46a1e2b8d1ed0df was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazar/Team9 Loader payload

Blocklisted process makes network request

Tries to connect to .bazar domain

Unexpected DNS network traffic destination

Looks up external IP address via web service

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-06 13:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-06 13:49

Reported

2024-01-06 13:52

Platform

win7-20231129-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4663bba7172a24a9a46a1e2b8d1ed0df.dll,#1

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4663bba7172a24a9a46a1e2b8d1ed0df.dll,#1

Network

Country Destination Domain Proto
US 195.123.233.106:443 tcp
US 195.123.233.106:443 tcp
GB 198.244.169.192:443 tcp
GB 198.244.169.192:443 tcp
US 198.46.198.114:443 tcp
US 198.46.198.114:443 tcp
US 45.142.158.120:443 tcp
US 8.8.8.8:53 www.microsoft.com udp

Files

memory/2868-0-0x0000000000170000-0x00000000001AC000-memory.dmp

memory/2868-1-0x0000000000170000-0x00000000001AC000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-06 13:49

Reported

2024-01-06 13:52

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

171s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4663bba7172a24a9a46a1e2b8d1ed0df.dll,#1

Signatures

Bazar Loader

loader dropper bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A greencloud46a.bazar N/A N/A
N/A greencloud46a.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A greencloud46a.bazar N/A N/A
N/A greencloud46a.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A
N/A whitestorm9p.bazar N/A N/A
N/A greencloud46a.bazar N/A N/A
N/A greencloud46a.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A greencloud46a.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A
N/A yellowdownpour81.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 94.16.114.254 N/A N/A
Destination IP 194.36.144.87 N/A N/A
Destination IP 195.10.195.195 N/A N/A
Destination IP 94.16.114.254 N/A N/A
Destination IP 198.50.135.212 N/A N/A
Destination IP 91.217.137.37 N/A N/A
Destination IP 195.10.195.195 N/A N/A
Destination IP 195.10.195.195 N/A N/A
Destination IP 94.16.114.254 N/A N/A
Destination IP 194.36.144.87 N/A N/A
Destination IP 172.98.193.62 N/A N/A
Destination IP 91.217.137.37 N/A N/A
Destination IP 217.160.188.24 N/A N/A
Destination IP 172.98.193.62 N/A N/A
Destination IP 194.36.144.87 N/A N/A
Destination IP 198.50.135.212 N/A N/A
Destination IP 217.160.188.24 N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
HTTP URL https://api.opennicproject.org/geoip/?bare&ipv=4 N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\4663bba7172a24a9a46a1e2b8d1ed0df.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 195.123.233.106:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
GB 198.244.169.192:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 198.46.198.114:443 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 45.142.158.120:443 45.142.158.120 tcp
US 8.8.8.8:53 api.opennicproject.org udp
DE 116.203.98.109:443 api.opennicproject.org tcp
US 8.8.8.8:53 120.158.142.45.in-addr.arpa udp
DE 195.10.195.195:53 greencloud46a.bazar udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 109.98.203.116.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 195.195.10.195.in-addr.arpa udp
DE 194.36.144.87:53 greencloud46a.bazar udp
RU 91.217.137.37:53 greencloud46a.bazar udp
US 8.8.8.8:53 37.137.217.91.in-addr.arpa udp
US 8.8.8.8:53 87.144.36.194.in-addr.arpa udp
DE 217.160.188.24:53 greencloud46a.bazar udp
US 172.98.193.62:53 greencloud46a.bazar udp
CA 198.50.135.212:53 greencloud46a.bazar udp
US 8.8.8.8:53 62.193.98.172.in-addr.arpa udp
US 8.8.8.8:53 24.188.160.217.in-addr.arpa udp
DE 94.16.114.254:53 greencloud46a.bazar udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 212.135.50.198.in-addr.arpa udp
US 8.8.8.8:53 254.114.16.94.in-addr.arpa udp
DE 195.10.195.195:53 whitestorm9p.bazar udp
DE 194.36.144.87:53 whitestorm9p.bazar udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 195.10.195.195:53 yellowdownpour81.bazar udp
DE 194.36.144.87:53 yellowdownpour81.bazar udp
RU 91.217.137.37:53 yellowdownpour81.bazar udp
DE 217.160.188.24:53 yellowdownpour81.bazar udp
US 172.98.193.62:53 yellowdownpour81.bazar udp
CA 198.50.135.212:53 yellowdownpour81.bazar udp
DE 94.16.114.254:53 yellowdownpour81.bazar udp
DE 94.16.114.254:53 yellowdownpour81.bazar udp
PA 186.73.40.224:443 tcp

Files

memory/3204-0-0x0000022D8A330000-0x0000022D8A36C000-memory.dmp

memory/3204-1-0x0000022D8A330000-0x0000022D8A36C000-memory.dmp