bazarloader | 50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca

Sharing

Copy URL

Twitter E-mail

General

Target

50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca
Size

1014KB
Sample

240627-ngzqeaydla
MD5

ba13f98a1f19d7b6d10e243cc76d532c
SHA1

6383da469d8152b1de367eb7c50aae6d31468134
SHA256

50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca
SHA512

beaa6d66bb12bad6342721131118bae630ba3524355c6579dc66c56b2f5b2571da1a51034ecbb1b50fd2a61e90aec5ff73b679b03b681d7b3b06df4407c35155
SSDEEP

24576:/ZPjc72nqQtrFX6jzET6HQ1TM4+gCc1dQf9sa:9g8FX6fjw1g4CcjQf9B

Score

10^/10

Malware Config

Extracted

Family

bazarloader

vacationinsydney2021.bazar

bestsightsofwildaustralia.bazar

sydneynewtours.bazar

Extracted

Language

xlm4.0

Source

Extracted

Family

cobaltstrike

http://217.12.218.46:80/YPbR

Attributes

user_agent
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Targets

- Target
  
  ProgramData/huqvg/huqvg.exe
- Size
  
  236KB
- MD5
  
  efa4b2e7d7016a1f80efff5840de3a18
- SHA1
  
  04606786daa6313867c7ada1f0c9c925d9b602fb
- SHA256
  
  291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
- SHA512
  
  11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced
- SSDEEP
  
  6144:NgsO6Xkm0RsQNCR/JG+z5nLGcKYp05dMgSsXMH7/wrtKHRAwrcKxN:7GRsQ6RLhLGO05dMgrXwTKtKxA5w
Score

10^/10

bazarloader dropper loader persistence
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Bazar/Team9 Loader payload
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2
- Target
  
  Users/Public/4123.do1
- Size
  
  48KB
- MD5
  
  f776deb4df137b37dcae5406c8f3a07a
- SHA1
  
  f6a31b594fca39c118927405fa4d14353b8fd49a
- SHA256
  
  93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e
- SHA512
  
  4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2
- SSDEEP
  
  768:fw2jnhaqqUgQeONXr27iLAkfP69FyfQZWBS:hjnEQeON727CA2G
Score

10^/10

nloader loader
- Nloader
  Simple loader that includes the keyword 'campo' in the URL used to download other families.
  loader nloader
- Nloader payload
behavioral3 behavioral4
- Target
  
  Users/Public/4123.xlsb
- Size
  
  64KB
- MD5
  
  c87e1dee1275fed1f7ee813b97ccb17b
- SHA1
  
  e8313978e3c0dff6355b843cd470949c719032c6
- SHA256
  
  92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d
- SHA512
  
  2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35
- SSDEEP
  
  768:Kd81NhZWv6hY64cvRPFE4lHH+noDBF6ZSI242gfQNi:C811WvZ8RiKewBUZPlfsi
Score

1^/10
behavioral5 behavioral6
- Target
  
  Users/wilmer.coughlin/AppData/Local/Temp/C618.tmp.dll
- Size
  
  292KB
- MD5
  
  9abf8579ed3b6e5d3d43b408509a53db
- SHA1
  
  63ee039a478e23a505bc889cc74e7693ebe51891
- SHA256
  
  cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252
- SHA512
  
  878add89cc7fc1d88f66c0704a66c202191382e4206e6e156f5bf0205d9b136d341c38686dc7d4a36615cfc45937841b30bcbc1b1036084bcce2e8501c6903ce
- SSDEEP
  
  6144:lV9H07z+CLXF0AYlHsGSD5E4Ck2oh66/px:lzHqtLyAtG0Ck2ozv
Score

10^/10

cobaltstrike backdoor trojan
- Cobaltstrike
  Detected malicious payload which is part of Cobaltstrike.
  trojan backdoor cobaltstrike
- Blocklisted process makes network request
behavioral7 behavioral8
- Target
  
  Users/wilmer.coughlin/Downloads/subscription_1617056233.xlsb
- Size
  
  177KB
- MD5
  
  1d1ba411ff36cdd1b1350341624ac008
- SHA1
  
  becdec14b92c6d67b3aa28fdbf4293dabb7b0055
- SHA256
  
  ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1
- SHA512
  
  89a9df6e41300e05c71af3eb45acd7cd6c3915bc511d00cc2a420c5d3a274a704798b3e48e93ffccd7813ee2a25e96a2c1c1f4d1e84ed86c144f2e79af501ef0
- SSDEEP
  
  3072:jMozgZ9S08bSe71IeyGJE+pCm7nXEMyQuvYKrp/wR+bhzKbzvXAJ732:TgLSPB76eyGjwm75yQuvPSjwJr2
Score

10^/10

nloader loader
- Nloader
  Simple loader that includes the keyword 'campo' in the URL used to download other families.
  loader nloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Nloader payload
- Loads dropped DLL
behavioral10 behavioral9
- Target
  
  Windows/Temp/adf/anchorAsjuster_x64.exe
- Size
  
  246KB
- MD5
  
  9fbc3d560d075f33a15aa67ae74ac6ef
- SHA1
  
  a298c6f5f8902fb581a1b5b922f95b362747f9a7
- SHA256
  
  3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d
- SHA512
  
  9a931c1097f1dab9c9cdad72d4e6bfee5de0fceb42ba2abf8e0465e14a9f70398859ac04fe6f95da29f12b9141064e3bf266466c88fb5d124a3c9712f0f8226b
- SSDEEP
  
  6144:Hd4lhu6GoFmaVZtN2TsiLgTU/vvst+/VbuohslJ89:4h/xxVLgTs0Eo1
Score

1^/10
behavioral11 behavioral12
- Target
  
  Windows/Temp/adf/anchorDNS_x64.exe
- Size
  
  339KB
- MD5
  
  7160ac4abb26f0ca4c1b6dfba44f8d36
- SHA1
  
  3820ff0d04a233745c79932b77eccfe743a81d34
- SHA256
  
  9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513
- SHA512
  
  d52fd1c50865aae16d63a1a7d00d29a2642ddece12b004cfa85e2abcfa25e178d1570aecdafaffefe4889906b81c92f2a2a7ca9032faabe73309f4ba33b70d93
- SSDEEP
  
  6144:eC1p/6YfIQrMRU+YqwQR/off22+IJdxKgpCzl2Ac:vb3oK+r/oX22Tb6zl
Score

7^/10
- Deletes itself
behavioral13 behavioral14
- Target
  
  Windows/Temp/adf/anchor_x64.exe
- Size
  
  339KB
- MD5
  
  86fefa2e8be486a49782d4d04095015e
- SHA1
  
  f29d6b5c8777028eeef161729b153b4d6e8ba28a
- SHA256
  
  a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634
- SHA512
  
  272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c
- SSDEEP
  
  6144:eC1p/6YfIQrMRU+YqwQR/off22+IJdxKgpCzl2Ac:vb3oK+r/oX22Tb6zl
Score

7^/10
- Executes dropped EXE
- Loads dropped DLL
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral15 behavioral16

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Targets

Bazar Loader

Bazar/Team9 Loader payload

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Nloader

Nloader payload

Cobaltstrike

Blocklisted process makes network request

Nloader

Process spawned unexpected child process

Nloader payload

Loads dropped DLL

Deletes itself

Executes dropped EXE

Loads dropped DLL

Looks up external IP address via web service

MITRE ATT&CK Matrix ATT&CK v13

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10

behavioral11

behavioral12

behavioral13

behavioral14

behavioral15

behavioral16