ioc[.]one - OSINT Cyber Threat Intelligence Database

BazarLoader – Back From Holiday Break - Malware Book Reports

Tags

maec-delivery-vectors:	Watering Hole
attack-pattern:	Data Dns - T1071.004 Dns - T1590.002 Domains - T1583.001 Domains - T1584.001 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Python - T1059.006 Regsvr32 - T1218.010 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Software - T1592.002 Powershell - T1086 Regsvr32 - T1117 Rundll32 - T1085

Show in Graph

Common Information

Type	Value
UUID	8cafbad6-537e-47d5-98c3-643d0d7c5fd8
Fingerprint	a2919f396cb68b52
Analysis status	DONE
Considered CTI value	2
Text language
Published	Jan. 15, 2022, 8:32 p.m.
Added to db	Sept. 26, 2022, 9:34 a.m.
Last updated	Nov. 17, 2024, 10:40 p.m.
Headline	BazarLoader – Back From Holiday Break
Title	BazarLoader – Back From Holiday Break - Malware Book Reports
Detected Hints/Tags/Attributes	83/2/84

Source URLs

	Redirection	Url
Details	Source	https://malwarebookreports.com/bazarloader-back-from-holiday-break/

URL Provider

Details	Provider	Source level domain
Details	malwarebookreports.com	malwarebookreports.com

Attributes

Details	Type	#Events	Value
Details	Domain	18	1drv.ms
Details	Domain	1	nasikbazar.com
Details	Domain	287	yahoo.com
Details	Domain	707	google.com
Details	Domain	295	amazon.com
Details	Domain	369	microsoft.com
Details	Domain	201	msdn.microsoft.com
Details	Domain	55	live.com
Details	Domain	114	eset.com
Details	Domain	30	fortinet.com
Details	Domain	1	sky.com
Details	Domain	20	intel.com
Details	Domain	22	hp.com
Details	Domain	2	hpe.com
Details	Domain	77	apple.com
Details	Domain	2	vanguard.com
Details	Domain	21	whitehouse.gov
Details	Domain	97	abuse.ch
Details	File	6	readme.doc
Details	File	13	1.png
Details	File	4	2.png
Details	File	1	errcheck.ps1
Details	File	1018	rundll32.exe
Details	File	1	licne.txt
Details	File	127	c:\windows\system32\rundll32.exe
Details	File	1	c:\users\admin\appdata\local\temp\dumped_bazar.bin
Details	File	2126	cmd.exe
Details	File	165	reg.exe
Details	File	1	c:\users\muzi\appdata\local\temp\licne.dll
Details	File	1122	svchost.exe
Details	File	1260	explorer.exe
Details	File	14	cryptdll.dll
Details	File	748	kernel32.dll
Details	File	229	advapi32.dll
Details	File	459	regsvr32.exe
Details	File	130	ws2_32.dll
Details	File	52	bcrypt.dll
Details	File	291	user32.dll
Details	File	533	ntdll.dll
Details	File	185	shell32.dll
Details	File	146	wininet.dll
Details	File	50	urlmon.dll
Details	File	69	shlwapi.dll
Details	File	89	version.dll
Details	File	86	ole32.dll
Details	File	271	chrome.exe
Details	File	128	msedge.exe
Details	File	83	crypt32.dll
Details	File	1	zbtdll.dll
Details	File	1	ll32.exe
Details	File	71	nss3.dll
Details	File	2	vr32.exe
Details	File	2	el32.dll
Details	md5	1	dbd0bb79ea2465a02455edca624f9bc8
Details	md5	1	6dab9678f4ae6395b829ff53dace8432
Details	md5	1	f31e276e3a50fdd8b800f649dcff19cf
Details	md5	1	c352d68a4d6077a3a94c57aed16c139b
Details	md5	1	3e57f39950ee4368e0a15abea1133272
Details	sha1	1	96c58f2c78ae38302f8f20e9cb08837ea3149eeb
Details	sha1	1	fe7ee5ce4435fcc271ab976146e2e6d8f16fde78
Details	sha1	1	f55b2b821d12eed29b02d73e519dfa6d12eee1a5
Details	sha1	1	107ba4ca7a9b1c102295e951a40bddfac0c5d28e
Details	sha1	1	7303d9dd5795a667a1aecf94dc252c8105aca95d
Details	sha256	1	2e367fcfc6583efad45bb8bbc97a77f30853d11322335d14d3d3d9ff4a79ea3c
Details	sha256	1	7076e5832b8c2a386e70de2612280f96b09062ec5402e18aee65fb46de9d50b4
Details	sha256	1	9304089e076099451e8a7b8fe204986d6e762d939512f20877fc06ba69b4d42e
Details	sha256	1	9ca8609a1f3c9eeaa81205d7cad0a4747ffc358c07924ece6ed55ce21df2de33
Details	sha256	1	62a7b273f763f92fd683d9248ae9ab7f5bc115b8c15e995291fdeb91d1aecc4b
Details	IPv4	1	185.99.133.67
Details	IPv4	1	188.127.249.22
Details	IPv4	1	5.255.103.36
Details	IPv4	1	91.201.202.138
Details	IPv4	1441	127.0.0.1
Details	IPv4	2	95.217.229.211
Details	IPv4	1	217.160.188.24
Details	IPv4	1	89.163.140.67
Details	IPv4	1	185.52.0.55
Details	IPv4	4	195.10.195.195
Details	Url	6	https://1drv.ms/u/s
Details	Url	1	http://nasikbazar.com/ldllrndlleaw64.png
Details	Url	1	http://checkip.amazonaws.com’,’https://ipinfo.io/ip’,’http://api.ipify.org’,’https://myexternalip.com/raw’,’http://wtfismyip.com/text’,’http://ip.anysrc.net/plain/clientip’,’http://api.ipify.org/?format=text’,’http://api.ip.sb/ip’,’http://ident.me/ip
Details	Windows Registry Key	188	HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Details	Windows Registry Key	36	HKCU\Software
Details	Yara rule	1	rule BazarLoader { meta: author = "muzi" description = "Identifies BazarLoader." date = "02/18/22" strings: $xor_hash = { C7 4? [2-4] ?? ?? ?? ?? C7 4? [2-4] ?? ?? ?? ?? [10-30] 35 } $xor_reg = { BA ?? ?? ?? ?? C7 4? [2-4] ?? ?? ?? ?? C7 4? [2-4] ?? ?? ?? ?? [10-30] 33 C2 } condition: uint16be(0) == 0x4D5A and #xor_hash > 5 and #xor_reg > 5 }