bazarloader | 9a28953b692d27b8874674c0750f1308043700bd28e25d4b8985c25e19294a91

Analysis

max time kernel
105s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 19:38

Target

9a28953b692d27b8874674c0750f1308043700bd28e25d4b8985c25e19294a91.dll
Size

538KB
MD5

8043b149f5d8cfa726988270788421e0
SHA1

e02f8cb694a25e33d265a27f6b407aeef7d0115f
SHA256

9a28953b692d27b8874674c0750f1308043700bd28e25d4b8985c25e19294a91
SHA512

161e38656415b8724100449e66ac33d22009f01ba565f16bcf3465b4d82a1a0dde2241c3e6615fcbbdd9ba89a83e0f192c6669acf964454e0a65dc9e85613dff
SSDEEP

12288:iJauNk3uCZ50K0oyeJL+ZjoVRWyh3ibZKNgPAhtxxA:iQV+JK0oyeJL+ZjkwyhybsNkAE

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Bazarloader family
bazarloader

Bazar/Team9 Loader payload 2 IoCs

resource	yara_rule
behavioral2/memory/3124-0-0x0000021097C00000-0x0000021097C2A000-memory.dmp	BazarLoaderVar5
behavioral2/memory/3124-1-0x0000021097C00000-0x0000021097C2A000-memory.dmp	BazarLoaderVar5

Blocklisted process makes network request 10 IoCs

Tries to connect to .bazar domain 3 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9a28953b692d27b8874674c0750f1308043700bd28e25d4b8985c25e19294a91.dll,#1
1⤵
- Blocklisted process makes network request
PID:3124

memory/3124-0-0x0000021097C00000-0x0000021097C2A000-memory.dmp

Filesize
168KB

Download
memory/3124-1-0x0000021097C00000-0x0000021097C2A000-memory.dmp

Filesize
168KB

Download