bazarloader | 878042c415ec1cb62d14e8b0f79fce6838e0813790546f7dd20eae65e9b9c8a2

Analysis

max time kernel
122s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 05:38

Target

1.dll
Size

363KB
MD5

7162fdf107c2d36f99c59d5435a4d399
SHA1

b4ffeac7e7b25409b709377430dfe8821ca21e6e
SHA256

1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10
SHA512

4098f01ba4da3742e96a70cf2478c26d8a24db1c97b048d27c40cb4f28c221c180ae356536b5bda41d9d041aa029dc951a90cd7fa038a5a7bc4c4d27a7fa95f8
SSDEEP

6144:RM8CPvvwq0YslcteDNCfgQ/Fkp8HuubxwHdy/6E6OuUNkTf:kvvwTYslTMIQQubxTNkD

Score

10^/10

Family

bazarloader

167.172.108.158

64.227.66.10

134.209.91.22

167.172.108.213

blackrain15.bazar

reddew28c.bazar

bluehail.bazar

whitestorm9p.bazar

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 1524	2184	rundll32.exe	30
PID 2184 wrote to memory of 1524	2184	rundll32.exe	30
PID 2184 wrote to memory of 1524	2184	rundll32.exe	30
PID 1524 wrote to memory of 864	1524	cmd.exe	32
PID 1524 wrote to memory of 864	1524	cmd.exe	32
PID 1524 wrote to memory of 864	1524	cmd.exe	32
PID 1524 wrote to memory of 2664	1524	cmd.exe	33
PID 1524 wrote to memory of 2664	1524	cmd.exe	33
PID 1524 wrote to memory of 2664	1524	cmd.exe	33

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\system32\cmd.exe
  cmd /c choice /n /c y /d y /t 5 & "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\1.dll", #1 wdtbkqfe koorgsfd & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\choice.exe
    choice /n /c y /d y /t 5
    3⤵
    PID:864
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\1.dll", #1 wdtbkqfe koorgsfd
    3⤵
    PID:2664

memory/2184-0-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2184-1-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2184-2-0x0000000000120000-0x000000000013F000-memory.dmp

Filesize
124KB

Download
memory/2664-3-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download
memory/2664-4-0x00000000002A0000-0x00000000002BF000-memory.dmp

Filesize
124KB

Download