bazarloader | 9f7e4c52af1b8afcb06ca88cc726d1e4681b0f87683b04d175bb70be4363d345

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12-08-2024 10:59

Target

8e7b76532c0bb541c727861f74a0b618_JaffaCakes118.exe
Size

393KB
MD5

8e7b76532c0bb541c727861f74a0b618
SHA1

ef0d327aa5969f8ad65ddb7f605d645e3270e64a
SHA256

9f7e4c52af1b8afcb06ca88cc726d1e4681b0f87683b04d175bb70be4363d345
SHA512

0ccc658a6eb0e4a29e558ffaf800ec8c381621af057134c6b26a944c0fcf1e974a140f45305dedfd1933a3a8466a03fefede278f69bc8762cd56c28f9c28ba6e
SSDEEP

6144:e9zgMUl3ABcePxx3K0mh5eu00S4KtDXaXYc+VKT8jHnAqYhf2k8Zl6:ozgTfePvK0mzeu00S4KBaWje2W

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral1/memory/2416-0-0x00000000041E0000-0x000000000421C000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2416-4-0x0000000180000000-0x000000018003F000-memory.dmp	BazarLoaderVar4
behavioral1/memory/2416-9-0x0000000001CC0000-0x0000000001CFA000-memory.dmp	BazarLoaderVar4

Tries to connect to .bazar domain 20 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Unexpected DNS network traffic destination 28 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

C:\Users\Admin\AppData\Local\Temp\8e7b76532c0bb541c727861f74a0b618_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8e7b76532c0bb541c727861f74a0b618_JaffaCakes118.exe"
1⤵
PID:2416

memory/2416-0-0x00000000041E0000-0x000000000421C000-memory.dmp

Filesize
240KB

Download
memory/2416-4-0x0000000180000000-0x000000018003F000-memory.dmp

Filesize
252KB

Download
memory/2416-9-0x0000000001CC0000-0x0000000001CFA000-memory.dmp

Filesize
232KB

Download