bazarloader | e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 22:11

Target

f20af1991721941a6712a07cfb2a81be_JaffaCakes118.dll
Size

536KB
MD5

f20af1991721941a6712a07cfb2a81be
SHA1

a134fcd514bb5cfbe9e98b9cfe28f3e02b9a28cf
SHA256

e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d
SHA512

a8e248af9bcd8d427806d9ecc4e165ff34d0f8866f273e6b0bdd5bffcf1269a503880d94c6c3827ef762499899345405b13f6128c6d4eef8fdba6c7ef205480c
SSDEEP

12288:FRFZrKEx0B559K5mYneuZ3ot3Ufc1zg6o1HZmfFd:FHZFK3K5mYneuZ3Mv1zg6o1HEtd

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2240-0-0x000001956D1D0000-0x000001956D1FA000-memory.dmp	BazarLoaderVar5
behavioral2/memory/2240-1-0x000001956D1D0000-0x000001956D1FA000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 16 IoCs

Processes:

rundll32.exe

Tries to connect to .bazar domain 8 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

Unexpected DNS network traffic destination 8 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f20af1991721941a6712a07cfb2a81be_JaffaCakes118.dll,#1
1⤵
- Blocklisted process makes network request
PID:2240

memory/2240-0-0x000001956D1D0000-0x000001956D1FA000-memory.dmp

Filesize
168KB

Download
memory/2240-1-0x000001956D1D0000-0x000001956D1FA000-memory.dmp

Filesize
168KB

Download