Analysis Overview
SHA256
2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9
Threat Level: Known bad
The file 2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.exe was found to be: Known bad.
Malicious Activity Summary
Bazar Loader
Bazarloader family
Bazar/Team9 Loader payload
Blocklisted process makes network request
Tries to connect to .bazar domain
Unexpected DNS network traffic destination
Unsigned PE
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-21 08:25
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 08:25
Reported
2024-11-21 08:27
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Bazar Loader
Bazarloader family
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.dll,#1
Network
Files
memory/2220-0-0x0000000000190000-0x00000000001BA000-memory.dmp
memory/2220-1-0x0000000000190000-0x00000000001BA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 08:25
Reported
2024-11-21 08:27
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
120s
Command Line
Signatures
Bazar Loader
Bazarloader family
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Tries to connect to .bazar domain
| Description | Indicator | Process | Target |
| N/A | blackrain15.bazar | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 134.195.4.2 | N/A | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2331fa420bee83df1248af48853a6f7748923cdae906b58c43ef8e11c6c72ca9.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 164.90.229.209:443 | 164.90.229.209 | tcp |
| DE | 164.90.229.166:443 | tcp | |
| US | 8.8.8.8:53 | 209.229.90.164.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 167.99.242.155:443 | tcp | |
| DE | 164.90.237.7:443 | tcp | |
| US | 134.195.4.2:53 | blackrain15.bazar | udp |
| PA | 186.73.40.224:443 | tcp | |
| US | 8.8.8.8:53 | 2.4.195.134.in-addr.arpa | udp |
Files
memory/808-0-0x000001B8533B0000-0x000001B8533DA000-memory.dmp
memory/808-1-0x000001B8533B0000-0x000001B8533DA000-memory.dmp