{
	"id": "b7e77185-eb18-4ca3-a8dd-9424ccbce7e6",
	"created_at": "2026-04-06T00:10:45.805974Z",
	"updated_at": "2026-04-10T03:20:18.183738Z",
	"deleted_at": null,
	"sha1_hash": "0831b76c172b18b5782b9b51f5a9d99d534bfe2f",
	"title": "Decrypting BazarLoader strings with a Unicorn",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1017959,
	"plain_text": "Decrypting BazarLoader strings with a Unicorn\r\nBy Jason Reaves\r\nPublished: 2021-07-30 · Archived: 2026-04-05 19:50:53 UTC\r\nPress enter or click to view image in full size\r\nBazarLoader[1,2,6] has been used by various teams over the past year primarily being leveraged for spam\r\ncampaigns by teams associated with TrickBot[3]. While the initial malware changed the on objective TTPs\r\n(TrickBot Attack Team PlayBook) remain very similar to most of their infections that end with Anchor on high\r\npriority servers and ultimately ransomware infections[4,5,7].\r\nRecently I’ve noticed on the Loader side that two versions have shown up using different obfuscations and in\r\ndifferent campaigns. There are few different obfuscations being utilized by the various teams involved in Bazar\r\nbut for the purpose of this report we will be focusing on the samples utilizing LLVM[8]. My aim is to show an\r\ninteresting technique that I think goes under utilized in malware analysis where you can leverage a CPU emulator\r\nto decode out of various types of string encodings, I used this technique for many years to decode various portions\r\nof the H1N1[9] Loader and have also leveraged it for creating unpackers over the years such as with MAN1s old\r\ncrypter[10].\r\nSome of the unpacked samples we will be looking at refer to themselves as:\r\nhttps://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nPage 1 of 6\n\nexeLoaderDll_LLVMO.dll\r\nThese samples store most of their relevant strings in an obfuscated manner where the data is manually loaded in\r\nand then ran through a fairly lengthy process of decoding the data.\r\nLoading data\r\nStart of decode loop\r\nInvestigating more instances of this process in the same sample shows variations meaning it was dynamically\r\ngenerated whether using macros or a lower level obfuscator, the TrickBot group has historically utilized both\r\nADVobfuscator[11] and LLVM[8].\r\nhttps://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nPage 2 of 6\n\nFor decoding the strings with an emulator[12] we will need to capture the block of data that loads the bytes and\r\nalso the loop that decodes it, luckily for obfuscators like this there are normally patterns we can signature on for\r\nthe samples:\r\nimport sys\r\nimport re\r\nimport binascii\r\nimport struct\r\nfrom unicorn import *\r\nfrom unicorn.x86_const import *STACK=0x90000\r\ncode_base = 0x10000000\r\nmu = Uc(UC_ARCH_X86,UC_MODE_64)data = open(sys.argv[1], 'rb').read()\r\ntest = re.findall(r'''488d.{3,20}c70.+0f......ffff''',binascii.hexlify(data))\r\nIn this code block we are doing some initial setup for unicorn[12] and then finding our block of code, because of\r\nhow python regex is being used here we will get the first block in the file all the way through the last block. This\r\nmeans we will need to break up and parse out the individual blocks, I prefer this method because it lets me take\r\ncontrol of the process to a degree.\r\ntemp = test[0]\r\ntemp = ['488d'+x for x in temp.split('488d')]\r\ntempp = []\r\nfor x in temp:\r\n xx = x.split('feffff')\r\n if 'fdffff' in xx[0]:\r\n xx = x.split('fdffff')\r\n tempp.append(xx[0]+'fdffff')\r\n else:\r\n tempp.append(xx[0]+'feffff')\r\ntemp = tempp\r\nSo we break up each block by the start and end while accounting for a variation that I noticed in some of the\r\nsamples for the ending bytes. Up next we will finish setting up our emulator and then loop through and emulate\r\neach block of code:\r\nmu.mem_map(code_base, 0x100000)mu.mem_map(STACK, 4096*10)\r\nfor i in range(len(temp)):\r\n try:\r\n blob = binascii.unhexlify(temp[i])\r\n except:\r\n blob = binascii.unhexlify(temp[i][1:])\r\n mu.mem_write(code_base, '\\x00'*0x100000)\r\nhttps://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nPage 3 of 6\n\nmu.mem_write(STACK, '\\x00'*(4096*10))\r\n mu.mem_write(code_base,blob)\r\n mu.reg_write(UC_X86_REG_ESP,STACK+4096)\r\n try:\r\n mu.emu_start(code_base, code_base+len(blob), timeout=10000)\r\n except:\r\n pass\r\nAfter emulation we will read in the entire memory we had allocated for the stack and then print out any strings\r\nfound by stripping all NULL bytes:\r\n a = mu.mem_read(STACK,4096*10)\r\n a = a[len(blob):].split('\\x00')\r\n a = filter(lambda x: x != '', a)\r\n a = map(str,a)\r\n print(str(''.join(a)))\r\nAn example gives us a healthy chunk of data:\r\n# python str_decode.py 9d76e72fb45bb059b64c58d10da43cbac1487f8b396d705eae0a427974587171.bin |strings\r\nMozilla/5.0\r\nABCDEFGHIJKLMNOPQRTSUVWXYZ0123456789\r\n%s.%d.%d.%d%s.%s.%d.%d.%d%s.%s\r\n%%s.%d.%d.%d%s.%s.%d.%d.%d%s.%s\r\n Avast.exe\r\nc34.212.193.150 35.166.147.40\r\nrareanimalsofcanada.bazar wildwinternature.bazar coldmountainsanimals.bazar\r\nSoftware\\%s\r\ncmd /c ping 8.8.7.7 -n 2 \u0026\r\n8Y3y\r\nstart %s %s\r\nGGNY\r\n yyyy-MM-dd\r\nSHA384\r\nHashDigestLength8\r\n ECDSA_P384\r\nkernel32.dll\r\n@advapi32.dll\r\nxuser32.dll\r\nws2_g\r\n+ntdll.dll\r\nshell32.dll\r\ncrypt32.dll\r\nshlwapi.dll\r\nhttps://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nPage 4 of 6\n\nowinhttp.dll\r\nnetapi32.dll\r\nbcrypt.dll\r\nuserenv.dll\r\nRunning on a set of files from VirusTotal we can quickly churn out some C2 lists.\r\nGet Jason Reaves’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nSamples:\r\n0c2e254376127f76d44fc9276000697e45a2977fca4384705e84994ab63fdc37 90d0c4995ce53077cd2fbc00a248f02df10\r\n0d53ed1eca1a3d28e0227055f66f6d2de1b2606e30f10982967509df4e478ee1 9296e1fef0356eab2956aac2d010dac587d\r\n1c27d4dc6fef72e096b06662908d7c5b225cecdbfc66c8f19db78b76008fac63\r\n270890cfa6621fa3b5c6edcdd2bb15760b97abd43245d6673eee9dca23c77d40\r\n2ea153ff7675c15adcda2bff88958be2004f9d32f6d67d9fabd3c872eeb07505\r\n2eec5366c21fc1bc9c11c2afbf66368fc704175231ab63659b3e8b839e5c9e71\r\n37aae88b9a3f942952c258d611c2c629116fcc077079e3698590c3f8aab3e684\r\n37e587e6b801e926dc31da093c55f1f834edcb8c1971c40869a8054580e39e42 9d76e72fb45bb059b64c58d10da43cbac14\r\n447b4c867b7147afe178d73adf8113fc33f6399f03707e4308efa36e0859bf86 9f6ae735999f98738022b1784d1b46975ae\r\n47eb57d467c4330269a5238a53dd399c5183b338a8bbead88bb8b88b4396a80c ae6e6dd4f2aa22ccc395ade0ae713000af9\r\n5791ef7d6916f8c14d3261a9c3d9b68b30e208e2ddd74d0dae1ad0a476504e2a c0a087a520fdfb5f1e235618b3a5101969c\r\n664e8512cd3ce3552f33878e26800184e0cff8ee54c75bfa93f19ad97615bb56\r\n68b4f6fde1a2d1024f4028d22d12daeaf3f4ae4ffb46cc07cf11cf6a2cb35e90 d5df7e82b5ff898d49f3f779f2064491654\r\n69f897a4ccf41cdf3f0c7903fc740b6914707d3286a5b5c8ca1ff90487b1c4ef e06473cad41789dddc88aa58b2f14330236\r\n87ad0b1bd7a18ff2aa975991cd15725b4ddfa0d0ef972cbe2f57a789582aa675 f18c2a8922bbe7b8f12980a46cc3548e9a0\r\n8a0fbcde56a9a817c10b0fe5ae281f75385c2a28ca271d736484e689c104e96c f29253139dab900b763ef436931213387dc\r\nIPs, Domains and URIs:\r\n18.188.232.155\r\n18.191.220.165\r\n18.222.240.99\r\n194.5.249.30\r\n3.134.106.170\r\n34.209.40.84\r\n34.212.193.150\r\n35.166.147.40\r\n45.142.158.252\r\n54.184.178.68\r\n54.184.52.204\r\n54.190.171.88\r\nhttps://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nPage 5 of 6\n\nacghilbdihio.bazar\r\nachiikbdjiin.bazar\r\nadehjkbeghjn.bazar\r\nadfhikbehhin.bazar\r\nadggklbeigko.bazar\r\nafegkmbgggkp.bazar\r\nbceikkccgikn.bazar\r\nbchgjlcdjgjo.bazar\r\nbegiklceiiko.bazar\r\nbffhklcghhko.bazar\r\ncegiikdeiiin.bazar\r\ncoastalbrezecarwash.com\r\ncoldmountainsanimals.bazar\r\ndeehimeeghip.bazar\r\nrareanimalsofcanada.bazar\r\nwildwinternature.bazar\r\n/thirst/honor/commerce\r\n/no/link/1\r\nReferences\r\n1: https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\n2: https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/\r\n3: https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth\r\n4: https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/\r\n5: https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/\r\n6: https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor\r\n7: https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/\r\n8: https://github.com/obfuscator-llvm/obfuscator\r\n9: https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1\r\n10: https://vixra.org/pdf/1902.0257v1.pdf\r\n11: https://github.com/andrivet/ADVobfuscator\r\n12: https://www.unicorn-engine.org/docs/\r\nSource: https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nhttps://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9"
	],
	"report_names": [
		"decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9"
	],
	"threat_actors": [],
	"ts_created_at": 1775434245,
	"ts_updated_at": 1775791218,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0831b76c172b18b5782b9b51f5a9d99d534bfe2f.pdf",
		"text": "https://archive.orkl.eu/0831b76c172b18b5782b9b51f5a9d99d534bfe2f.txt",
		"img": "https://archive.orkl.eu/0831b76c172b18b5782b9b51f5a9d99d534bfe2f.jpg"
	}
}