Malware Analysis Report

2024-11-30 22:14

Sample ID 241121-kbhm6azphx
Target 2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.exe
SHA256 2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9
Tags
bazarloader dropper loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9

Threat Level: Known bad

The file 2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.exe was found to be: Known bad.

Malicious Activity Summary

bazarloader dropper loader

Bazar Loader

Bazarloader family

Bazar/Team9 Loader payload

Blocklisted process makes network request

Tries to connect to .bazar domain

Unexpected DNS network traffic destination

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-11-21 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-21 08:25

Reported

2024-11-21 08:27

Platform

win7-20241010-en

Max time kernel

14s

Max time network

19s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.dll,#1

Signatures

Bazar Loader

loader dropper bazarloader

Bazarloader family

bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.dll,#1

Network

N/A

Files

memory/2220-0-0x0000000000190000-0x00000000001BA000-memory.dmp

memory/2220-1-0x0000000000190000-0x00000000001BA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-21 08:25

Reported

2024-11-21 08:27

Platform

win10v2004-20241007-en

Max time kernel

110s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.dll,#1

Signatures

Bazar Loader

loader dropper bazarloader

Bazarloader family

bazarloader

Bazar/Team9 Loader payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Tries to connect to .bazar domain

Description Indicator Process Target
N/A blackrain15.bazar N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 134.195.4.2 N/A N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
DE 164.90.229.209:443 164.90.229.209 tcp
DE 164.90.229.166:443 tcp
US 8.8.8.8:53 209.229.90.164.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
DE 167.99.242.155:443 tcp
DE 164.90.237.7:443 tcp
US 134.195.4.2:53 blackrain15.bazar udp
PA 186.73.40.224:443 tcp
US 8.8.8.8:53 2.4.195.134.in-addr.arpa udp

Files

memory/808-0-0x000001B8533B0000-0x000001B8533DA000-memory.dmp

memory/808-1-0x000001B8533B0000-0x000001B8533DA000-memory.dmp