bazarloader | 9d91621ca1c2a3bca8c74836bde3fbb8afbbc7c657f6630fd338fce8d8250965

Analysis

max time kernel
132s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-03-2024 04:23

Target

d52f5da10e84853f15706133e967ab6b.dll
Size

1.3MB
MD5

d52f5da10e84853f15706133e967ab6b
SHA1

e89558c040cc24b38a79e29f5b3fb8fe1e6300b9
SHA256

9d91621ca1c2a3bca8c74836bde3fbb8afbbc7c657f6630fd338fce8d8250965
SHA512

aa8a3500b4417271117a6acb3fa09485cb01a6eef1ebc9d5107a87155cfddf404139714e8ef9254c3a0076c6ca4a8a94ccd6a0c12434059b941d7b3de6569d99
SSDEEP

24576:bhCbYfOMaeAgeLut7oFGaDxcA7vw/9EYabCo:bcbYfGFBVxcA8V5aZ

Score

10^/10

Family

bazarloader

164.90.198.93

64.225.105.147

blackrain15.bazar

reddew28c.bazar

whitestorm9p.bazar

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-1-0x0000000180000000-0x0000000180015000-memory.dmp	BazarLoaderVar6

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exerundll32.exe

pid process

2200 regsvr32.exe
2540 rundll32.exe

pid	process
2200	regsvr32.exe
2540	rundll32.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

regsvr32.exe

description	pid	process	target process
PID 2336 wrote to memory of 2200	2336	regsvr32.exe	regsvr32.exe
PID 2336 wrote to memory of 2200	2336	regsvr32.exe	regsvr32.exe
PID 2336 wrote to memory of 2200	2336	regsvr32.exe	regsvr32.exe
PID 2336 wrote to memory of 2200	2336	regsvr32.exe	regsvr32.exe
PID 2336 wrote to memory of 2200	2336	regsvr32.exe	regsvr32.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d52f5da10e84853f15706133e967ab6b.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\d52f5da10e84853f15706133e967ab6b.dll
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\d52f5da10e84853f15706133e967ab6b.dll,DllRegisterServer {88210620-5051-410B-B20B-E04C156010F1}
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2540

memory/2200-2-0x000007FEF6790000-0x000007FEF68EF000-memory.dmp

Filesize
1.4MB

Download
memory/2200-1-0x0000000180000000-0x0000000180015000-memory.dmp

Filesize
84KB

Download
memory/2200-8-0x000007FEF6790000-0x000007FEF68EF000-memory.dmp

Filesize
1.4MB

Download
memory/2336-0-0x000007FEF6790000-0x000007FEF68EF000-memory.dmp

Filesize
1.4MB

Download
memory/2336-7-0x000007FEF6790000-0x000007FEF68EF000-memory.dmp

Filesize
1.4MB

Download