bazarloader | b6d4e8dcff91e58906943d58827e88c5373b61b5baa6cc8d9245c02b02b2eef4

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 17:30

Target

b6d4e8dcff91e58906943d58827e88c5373b61b5baa6cc8d9245c02b02b2eef4N.dll
Size

825KB
MD5

c8fc52e18c7e89b622df27c9ca8bf300
SHA1

4355e5d2af4a49b003b623d0ff05db559fe9f01d
SHA256

b6d4e8dcff91e58906943d58827e88c5373b61b5baa6cc8d9245c02b02b2eef4
SHA512

edfbe480559c91e7813985c702fd004a09d22c8636bce697f8faa0955eaeb4fd2b89019216f3fff7d4a982744a785f475e52b66c9e3cd0db3ffdc1bc55dfa928
SSDEEP

12288:NafGVgqM7aafQIbyhxi5zhRSAofMvG9VWTY3DdWyS5EPGE:NafGVJwyAq+hfgAG9VWGdWyIE

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Bazarloader family
bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral2/memory/644-0-0x0000000180000000-0x0000000180030000-memory.dmp	BazarLoaderVar5
behavioral2/memory/644-1-0x0000000180000000-0x0000000180030000-memory.dmp	BazarLoaderVar5
behavioral2/memory/644-2-0x0000000180000000-0x0000000180030000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 5 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Unexpected DNS network traffic destination 5 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b6d4e8dcff91e58906943d58827e88c5373b61b5baa6cc8d9245c02b02b2eef4N.dll
1⤵
PID:644

memory/644-0-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/644-1-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/644-2-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download