bazarloader | c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb

Analysis

max time kernel
149s
max time network
149s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
15-03-2024 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bakjr.exe
Size

248KB
MD5

bb5ef523f0bf243790b6c67dd77ee986
SHA1

cbfe325c2101c5f76a3675b23b459eeb641eecb6
SHA256

c51bf8c74311b8941dca2f63a0850e61c1058af6af0ac42d81c2d85cd64d37cb
SHA512

eb9ffe004187d6174cf0cc2f85184e5a524546e1bc7139c1f16147049eadbd92f94818ea618370450779753c87d8349efe255244eef2450e16f9446799cdeef2
SSDEEP

6144:dL8d+BxlwJG25dgtNZfWjBVyRaViIboK:diilKG2ypWjBwjIsK

Score

10^/10

bazarloader dropper loader

Malware Config

Signatures

Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
loader dropper bazarloader

Bazar/Team9 Loader payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3036-0-0x000002BAF0CD0000-0x000002BAF0D0D000-memory.dmp	BazarLoaderVar6
behavioral1/memory/4744-11-0x000002DA46A10000-0x000002DA46A4D000-memory.dmp	BazarLoaderVar6

Tries to connect to .bazar domain 64 IoCs

Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

Processes:

flow	ioc
58	yrixekex.bazar
60	avraygex.bazar
73	onuxekud.bazar
108	walewyud.bazar
141	erwoekex.bazar
56	wawoekso.bazar
69	ewoxygyr.bazar
34	bestsightsofwildaustralia.bazar
72	erxowyso.bazar
90	viwoavso.bazar
111	ywquwyyr.bazar
115	wysiavud.bazar
143	ewkywyso.bazar
117	soanekyr.bazar
38	ewoxekex.bazar
46	reezwyso.bazar
50	udixwyud.bazar
81	avgyavso.bazar
92	erixwyyr.bazar
113	viezygyr.bazar
53	yrwoygud.bazar
75	mexiygyr.bazar
99	meohygyr.bazar
119	udxiwyso.bazar
106	omohavud.bazar
107	udleygso.bazar
39	waixavso.bazar
48	avsiygso.bazar
51	touxwyso.bazar
64	rewowyex.bazar
86	meqawyso.bazar
100	omohavex.bazar
112	ewdiekyr.bazar
118	udanygud.bazar
137	omuxwyso.bazar
35	sydneynewtours.bazar
63	vianekyr.bazar
79	sowoekyr.bazar
101	ywkywyud.bazar
120	omapekex.bazar
104	viezavex.bazar
55	wyquavyr.bazar
57	omxoekyr.bazar
87	ekdiekyr.bazar
89	erwowyso.bazar
91	erezwyex.bazar
96	ygixekex.bazar
65	ywxoavex.bazar
77	ywuxwyso.bazar
98	ewxiavso.bazar
130	wauxwyex.bazar
146	yzdiavso.bazar
41	udkyygso.bazar
54	onoxygso.bazar
67	evanekud.bazar
109	ekanekud.bazar
33	vacationinsydney2021.bazar
42	ekdiygso.bazar
80	avaswyyr.bazar
110	onohygex.bazar
97	yzoxygex.bazar
40	rediekex.bazar
59	viuxekex.bazar
66	ygdiekyr.bazar

Unexpected DNS network traffic destination 64 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	195.10.195.195
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	185.181.61.24
Destination IP	185.181.61.24
Destination IP	70.34.254.19
Destination IP	70.34.254.19

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

description flow ioc

HTTP URL 17 https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

description	flow	ioc
HTTP URL	17	https://api.opennicproject.org/geoip/?bare&ipv=4&wl=all&res=8

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings OpenWith.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4212 WINWORD.EXE
4212 WINWORD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

3044 OpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1990815831-2007029909-3877453929-1000_Classes\Local Settings	OpenWith.exe

pid	process
4212	WINWORD.EXE
4212	WINWORD.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

OpenWith.exeWINWORD.EXE

pid	process
3044	OpenWith.exe
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE
4212	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\bakjr.exe
"C:\Users\Admin\AppData\Local\Temp\bakjr.exe"
1⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\bakjr.exe
C:\Users\Admin\AppData\Local\Temp\bakjr.exe 3299755233
1⤵
PID:4744

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CompleteSuspend.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3036-0-0x000002BAF0CD0000-0x000002BAF0D0D000-memory.dmp

Filesize
244KB

Download
memory/4212-45-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-32-0x00007FFC38320000-0x00007FFC38330000-memory.dmp

Filesize
64KB

Download
memory/4212-47-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-33-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-35-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-34-0x00007FFC38320000-0x00007FFC38330000-memory.dmp

Filesize
64KB

Download
memory/4212-37-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-39-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-40-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-38-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-36-0x00007FFC38320000-0x00007FFC38330000-memory.dmp

Filesize
64KB

Download
memory/4212-42-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-43-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-46-0x00007FFC34810000-0x00007FFC34820000-memory.dmp

Filesize
64KB

Download
memory/4212-66-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-31-0x00007FFC38320000-0x00007FFC38330000-memory.dmp

Filesize
64KB

Download
memory/4212-48-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-49-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-50-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-51-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-52-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-54-0x00007FFC34810000-0x00007FFC34820000-memory.dmp

Filesize
64KB

Download
memory/4212-53-0x00007FFC75B00000-0x00007FFC75BAE000-memory.dmp

Filesize
696KB

Download
memory/4212-55-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-57-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-59-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-61-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-63-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4212-65-0x00007FFC78290000-0x00007FFC7846B000-memory.dmp

Filesize
1.9MB

Download
memory/4744-11-0x000002DA46A10000-0x000002DA46A4D000-memory.dmp

Filesize
244KB

Download