bazarloader | 1c582548950d5bd2ed2d5e2b6db39f8b7f078e5ff667d2ebb9944205656f5336

Analysis

max time kernel
131s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 00:41

Target

JaffaCakes118_046e235e5dad84063e3135e65f58b461.dll
Size

825KB
MD5

046e235e5dad84063e3135e65f58b461
SHA1

823510e34c44667b341064a13bb67e6d4e489c1c
SHA256

1c582548950d5bd2ed2d5e2b6db39f8b7f078e5ff667d2ebb9944205656f5336
SHA512

c33b589e9fa864844813b9681e49f146a387a4256a817c575bb28b8a4ef86134921e1c4f511c784e49e4b7f996762b2696f7f5f9d09136b8fe46a2f30f3e8087
SSDEEP

12288:NafGVgqM7aafQIbyhxi5zhRSAofMvG9VWTY3DdWyS5EPGy:NafGVJwyAq+hfgAG9VWGdWyIy

Score

10^/10

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader
Bazarloader family
bazarloader

Bazar/Team9 Loader payload 3 IoCs

resource	yara_rule
behavioral2/memory/1264-0-0x0000000180000000-0x0000000180030000-memory.dmp	BazarLoaderVar5
behavioral2/memory/1264-1-0x0000000180000000-0x0000000180030000-memory.dmp	BazarLoaderVar5
behavioral2/memory/1264-2-0x0000000180000000-0x0000000180030000-memory.dmp	BazarLoaderVar5

Tries to connect to .bazar domain 3 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Unexpected DNS network traffic destination 3 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_046e235e5dad84063e3135e65f58b461.dll
1⤵
PID:1264

memory/1264-0-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1264-1-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download
memory/1264-2-0x0000000180000000-0x0000000180030000-memory.dmp

Filesize
192KB

Download