{
	"id": "b4362876-a03d-4a30-85cd-9dc22404f3f0",
	"created_at": "2026-04-06T01:29:57.165736Z",
	"updated_at": "2026-04-10T13:12:56.624042Z",
	"deleted_at": null,
	"sha1_hash": "139649973edbf0461f5f96b523106acef4407105",
	"title": "SQL Brute Force Leads to BlueSky Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3066068,
	"plain_text": "SQL Brute Force Leads to BlueSky Ransomware\r\nBy editor\r\nPublished: 2023-12-04 · Archived: 2026-04-06 00:37:24 UTC\r\nIn December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky\r\nransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.\r\nWhile other reports point to malware downloads as initial access, in this report the threat actors gained access via\r\na MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation\r\nactivities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network\r\nwide.\r\nCase Summary\r\nIn the month of December 2022, we observed a cluster of activity targeting MSSQL servers. The activity started\r\nwith brute force password attempts for the MS SQL “sa” (System Administrator) account on an internet facing\r\nserver. Upon successfully discovering the password, the threat actors enabled “xp_cmdshell” on the SQL server.\r\nThe “xp_cmdshell” allows users with sysadmin privilege to execute shell commands on the host.\r\nUsing “xp_cmdshell” the threat actors first executed a PowerShell command on the SQL server. The command\r\ncontained base64 encoded content, which, upon execution, established a connection to a Cobalt Strike command\r\nand control server. This activity was immediately followed by injection into the legitimate process winlogon. The\r\ninjected process then spawned PowerShell and cmd to perform SMB scans and discovery using SMBexec.\r\nThe PowerShell session was then seen making a connection to a Tor2Mine stager server. This was followed by\r\nexecution of a PowerShell script which performed a variety of operations, such as checking privileges of the\r\nactive user, disabling of AV solutions, and dropping of a miner payload named java.exe. Tor2Mine is a Monero-mining campaign that is based on XMRigCC. Depending upon the privileges of the user, the script also performs\r\ncreation of scheduled tasks and Windows services to maintain persistence on the host.\r\nAround 15 minutes after initial access, the threat actors then moved laterally toward domain controllers and file\r\nshares using remote service creation. These services were used to execute the same PowerShell commands,\r\ndownload and execute the Tor2Mine malware. Upon establishing access to one of the domain controllers the threat\r\nactors performed similar activity as observed on the beachhead.\r\nAfter roughly 30 minutes after initial access, the BlueSky ransomware binary was dropped and executed on the\r\nbeachhead. The execution worked as intended which resulted in the ransomware spreading to all devices in the\r\nnetwork over SMB. The time to ransomware in this case was 32 minutes.\r\nThreat Actor Profile:\r\nCobalt Strike\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 1 of 25\n\nThe Cobalt Strike server observed in this intrusion was first observed on December 16th 2022 and remained active\r\nthrough January 17th 2023. We saw the server then return for a second time frame from April 6th 2023 though\r\nApril 15th 2023. This data was provided via the Threat Intel tracking services of The DFIR Report.\r\nTor2Mine\r\nThe PowerShell scripts involved in this case as well as infrastructure for the Tor2Mine server were observed being\r\nreused in May 2023 with the PaperCut NG CVE-2023-27350 exploit as the initial access source. In that intrusion\r\nno ransomware was observed. The linked case data is available for All Intel subscribers in event 21132\r\n(c39d59d8-8bae-49f5-8b29-de5c13b61899).\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, Sliver, BianLian, Metasploit, Empire, Havoc, etc. More information on this service can be found\r\nhere.\r\nOur All Intel service includes private reports, exploit events, long term infrastructure tracking, clustering, C2\r\nconfigs, and other curated intel.\r\nWe’ll be launching a private ruleset soon, if you’d like to get in at a discounted rate for the beta, please Contact\r\nUs.\r\nIf you are interested in hearing more about our services, or would like to talk about a free trial, please reach out\r\nusing the Contact Us page. We look forward to hearing from you.\r\nAnalysts\r\nAnalysis and reporting completed by @yatinwad\r\nInitial Access\r\nThe initial access occurred via a brute-force attack, where the threat actors mainly targeted the System Admin\r\n(“sa”) account.\r\nDuring the intrusion, we observed over 10,000 failed attempts before successful login.\r\nSQL Server event ID 18456 Failure Audit Events in the Windows application logs:\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 2 of 25\n\nSuccessful Login:\r\nExecution\r\nIn the next attack stage, the threat actors established a command shell via Extended SQL Stored Procedure\r\n(xp_cmdshell). This process allows you to issue operating system commands directly to the Windows command\r\nshell. To do this they enabled the feature the MSSQL configuration:\r\nThe threat actor then executed a Cobalt Strike beacon and a PowerShell script that has previously been identified\r\nby Sophos as used in campaigns to deploy Tor2Mine malware.\r\nThe overall execution events are depicted in the below diagram:\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 3 of 25\n\nThe first PowerShell script executed a command to download a Cobalt Strike beacon.\r\nThis was followed by a second PowerShell execution for:\r\nA connection was then established with the following Tor2Mine server and URIs:\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 4 of 25\n\nTor2Mine uses a PowerShell script checking.ps1 to perform variety of operations. The script first sets a variable\r\nnamed $priv and $osver to check whether the active user is an administrator and the operating system version\r\nrespectively, in the first few lines.\r\nIt then attempts to pull down an additional script named kallen.ps1, a PowerShell version of mimikatz from the\r\nTor2Mine server.\r\nIt also consists of a function named “StopAV”, where it tries to disable antivirus solutions – in this case,\r\nMalwareBytes, Sophos and Windows Defender.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 5 of 25\n\nDepending upon the result of the $priv variable, there are 2 routes for the script: Privileged ”PrivTrue()“ and Non-Privileged “PrivFalse()”.\r\nIf the user is a privileged user, it first checks for the OS architecture, then downloads appropriate version (in our\r\ncase, x64) of the miner and installs it as java.exe, in the “C:\\ProgramData\\Oracle\\Java” directory. It also installs a\r\ndriver named WinRing0x64.sys.\r\nThe function also creates multiple scheduled tasks and services which have references to Tor2Mine miner\r\njava.exe, encoded PowerShell commands and .hta files hosted on Tor2Mine servers.\r\nIn the case of the non-privileged function “PrivFalse()”, it executes a batch script “PrivFalse.bat” as scheduled\r\ntasks and also sets up schtasks as seen in the “PrivTrue()” function.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 6 of 25\n\nIn the last section, a script named del.ps1 is downloaded and executed on the host as a scheduled task. The del.ps1\r\nscript has been explored further in the Defense Evasion section.\r\nDepending upon the output of the $priv variable, the execution flow is as follows:\r\nAs the mimi function is commented, we didn’t observe any artifacts related to kallen.ps1 script.\r\nPersistence\r\nTo establish persistence in the network, multiple scheduled tasks and Windows services were created on the\r\nbeachhead and one of the domain controllers. They reference the files dropped on the compromised hosts and\r\nTor2Mine servers.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 7 of 25\n\nPrivilege Escalation\r\nThe threat actor was seen injecting code into legitimate process winlogon.exe via CreateRemoteThread which can\r\nbe detected using Sysmon event ID 8.\r\nDuring the intrusion the threat actor deployed XMrig miner which loaded the driver WinRing0. This driver is\r\ndeployed to assist the miner in operations and has been in use since at least version 5.3.0.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 8 of 25\n\nDefense Evasion\r\nThe Windows Defender AV Real-Time Monitoring was disabled on the beachhead and one of the domain\r\ncontrollers using Set-MpPreference cmdlet.\r\nThe PowerShell script, checking.ps1, is explained in the Execution section which contained other ways to disable\r\nAV, including registry modifications and service disabling.\r\nA PowerShell script named del.ps1 attempts to terminate system utilities such as Process Explorer, Task Manager,\r\nProcess Monitor, and Daphne Task Manager.\r\nIn the script checking.ps1 the threat actor created 16 different tasks on the hosts where Tor2Mine was deployed.\r\nThese tasks were named in a manner to try and blend in with various Windows tasks that on the hosts:\r\n\\Microsoft\\Windows\\MUI\\LPupdate\r\n\\Microsoft\\Windows\\RamDiagnostic\\Error Diagnostic\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework Cache Optimization Files-S-3-5-21-2236678156-4335293\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-4335293\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework Cache Optimization\"\r\n\\Microsoft\\Windows\\Registry\\RegBackup\r\n\\Microsoft\\Windows\\DiskCleanup\\SlientDefragDisks\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework NGEN v4.0.50319 Critical\r\n\\Microsoft\\Windows\\EDP\\EDP App Update Cache\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 9 of 25\n\n\\Microsoft\\Windows\\EDP\\EDP App Lock Task\r\n\\Microsoft\\Windows\\UPnP\\UPnPClient Task\r\n\\Microsoft\\Windows\\UPnP\\UPnPHost\r\n\\Microsoft\\Windows\\Shell\\WinShell\r\n\\Microsoft\\Windows\\Shell\\WindowsShellUpdate\r\n\\Microsoft\\Windows\\Bluetooth\\UpdateDeviceTask\r\n\\Microsoft\\Windows\\.NET Framework\\.NET Framework Cache Optimization\r\nCredential Access\r\nTor2Mine was used to access the LSASS memory space and the access granted was 0x1010.\r\nOn the beachhead, we observed the execution of credential dumping utility Invoke-PowerDump.\r\nDiscovery\r\nDuring the course of the intrusion, we observed port discovery (port 445) activity from the beachhead. We\r\nattribute this to the invocation of the PowerShell command Invoke-SMBExec. This was likely executed as part of\r\nthe Invoke-TheHash framework based on other PowerShell modules observed.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 10 of 25\n\nLooking at the traffic from a network perspective we observed the activity making DCE\\RPC calls to the svcctl\r\nendpoint and the named pipe \\pipe\\ntsvcs using the OpenSCManagerW operation.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 11 of 25\n\nThis appeared to be how they profiled the network layout and remote hosts.\r\nThe threat actor was observed running whoami from the Tor2Mine PowerShell process on the beachhead.\r\n\"C:\\Windows\\system32\\whoami.exe\" /user\r\nLateral Movement\r\nThe threat actors moved laterally toward the domain controllers and file shares using Remote Service creation.\r\nThe pattern “%COMSPEC% /C “cmd /c powershell.exe” is associated with the Cobalt Strike “psexec_psh” jump\r\nmodule.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 12 of 25\n\nDecoding the command we can see the same PowerShell download and execute as observed on the beachhead.\r\nThe hexadecimal value 0x53611451 corresponds to the IP address 83.97.20[.]81 which was the command and\r\ncontrol server for the Tor2Mine malware.\r\nCommand and Control\r\nTor2Mine Server:\r\n{\r\n destination: { [-]\r\n address: 83.97.20.81\r\n as: { [-]\r\n number: 9009\r\n organization: { [-]\r\n name: M247 Europe SRL\r\n }\r\n }\r\n geo: { [-]\r\n city_name: Bucharest\r\n continent_name: Europe\r\n country_iso_code: RO\r\n country_name: Romania\r\n location: { [+]\r\n }\r\n region_iso_code: RO-B\r\n region_name: Bucuresti\r\n }\r\n ip: 83.97.20.81\r\n port: 443\r\n }\r\n network.direction: outbound\r\n tls: { [-]\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 13 of 25\n\ncipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384\r\n client: { [-]\r\n ja3: c12f54a3f91dc7bafd92cb59fe009a35\r\n }\r\n curve: x25519\r\n established: true\r\n resumed: false\r\n server: { [-]\r\n ja3s: ec74a5c51106f0419184d0dd08fb05bc\r\n }\r\n version: 1.2\r\n version_protocol: tls\r\n }\r\nCobalt Strike C2:\r\nIP Address: 5.188.86.237\r\nConnection to the following URIs was observed:\r\nCobalt Strike Server Config:\r\n{\r\n \"beacontype\": [\r\n \"HTTPS\"\r\n ],\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 14 of 25\n\n\"sleeptime\": 120000,\r\n \"jitter\": 12,\r\n \"maxgetsize\": 1398924,\r\n \"spawnto\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"license_id\": 1580103824,\r\n \"cfg_caution\": false,\r\n \"kill_date\": null,\r\n \"server\": {\r\n \"hostname\": \"5.188.86.237\",\r\n \"port\": 443,\r\n \"publickey\": \"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tP\r\n },\r\n \"host_header\": \"\",\r\n \"useragent_header\": null,\r\n \"http-get\": {\r\n \"uri\": \"/functionalStatus/2JYbAmfY5gYNj7UrgAte5p1jXx2V\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"metadata\": null\r\n },\r\n \"server\": {\r\n \"output\": [\r\n \"print\",\r\n \"append 8 characters\",\r\n \"append 8 characters\",\r\n \"append 10 characters\",\r\n \"append 6 characters\",\r\n \"append 11 characters\",\r\n \"append 33 characters\",\r\n \"append 69 characters\",\r\n \"append 55 characters\",\r\n \"append 67 characters\",\r\n \"append 27 characters\",\r\n \"append 15 characters\",\r\n \"append 25 characters\",\r\n \"append 32 characters\",\r\n \"append 72 characters\",\r\n \"prepend 16 characters\",\r\n \"prepend 17 characters\",\r\n \"prepend 11 characters\",\r\n \"prepend 31 characters\",\r\n \"prepend 80 characters\",\r\n \"prepend 60 characters\",\r\n \"prepend 54 characters\",\r\n \"prepend 69 characters\",\r\n \"prepend 38 characters\",\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 15 of 25\n\n\"prepend 8 characters\",\r\n \"base64url\"\r\n ]\r\n }\r\n },\r\n \"http-post\": {\r\n \"uri\": \"/rest/2/meetings2JYbAmfY5gYNj7UrgAte5p1jXx2V\",\r\n \"verb\": \"GET\",\r\n \"client\": {\r\n \"headers\": null,\r\n \"id\": null,\r\n \"output\": null\r\n }\r\n },\r\n \"tcp_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"crypto_scheme\": 0,\r\n \"proxy\": {\r\n \"type\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"behavior\": \"Use IE settings\"\r\n },\r\n \"http_post_chunk\": 96,\r\n \"uses_cookies\": false,\r\n \"post-ex\": {\r\n \"spawnto_x86\": \"%windir%\\\\syswow64\\\\auditpol.exe\",\r\n \"spawnto_x64\": \"%windir%\\\\sysnative\\\\auditpol.exe\"\r\n },\r\n \"process-inject\": {\r\n \"allocator\": \"NtMapViewOfSection\",\r\n \"execute\": [\r\n \"CreateThread 'ntdll.dll!RtlUserThreadStart'\",\r\n \"NtQueueApcThread-s\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"CreateThread 'kernel32.dll!LoadLibraryA'\",\r\n \"RtlCreateUserThread\"\r\n ],\r\n \"min_alloc\": 40263,\r\n \"startrwx\": true,\r\n \"stub\": \"IiuPJ9vfuo3dVZ7son6mSA==\",\r\n \"transform-x86\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\n \"transform-x64\": [\r\n \"prepend '\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90\\\\x90'\"\r\n ],\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 16 of 25\n\n\"userwx\": false\r\n },\r\n \"dns-beacon\": {\r\n \"dns_idle\": null,\r\n \"dns_sleep\": null,\r\n \"maxdns\": null,\r\n \"beacon\": null,\r\n \"get_A\": null,\r\n \"get_AAAA\": null,\r\n \"get_TXT\": null,\r\n \"put_metadata\": null,\r\n \"put_output\": null\r\n },\r\n \"pipename\": null,\r\n \"smb_frame_header\": \"AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n \"stage\": {\r\n \"cleanup\": true\r\n },\r\n \"ssh\": {\r\n \"hostname\": null,\r\n \"port\": null,\r\n \"username\": null,\r\n \"password\": null,\r\n \"privatekey\": null\r\n }\r\n}\r\nImpact\r\nThe BlueSky ransomware binary named vmware.exe was dropped on the beachhead, which upon execution,\r\nresulted in network wide ransomware. This was accomplished using SMB with the ransomware connecting to host\r\nover port 445 to encrypt files.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 17 of 25\n\nThe files were renamed with the file extension .bluesky and a ransom note file named # DECRYPT FILES\r\nBLUESKY #.txt was dropped on the host and opened to reveal the ransom note.\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 18 of 25\n\nOn the beachhead server, the time of encryption was visible as the MSSQL service stopped functioning after\r\nexecution of vmware.exe :\r\nThe whole intrusion after initial access lasted only around 30 minutes with limited discovery and no exfiltration\r\nobserved.\r\nTimeline\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 19 of 25\n\nDiamond Model\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 20 of 25\n\nIndicators\r\nAtomic\r\nhxxp://0x53611451/win/clocal\r\nhxxp://qlqd5zqefmkcr34a[.]onion[.]sh/win/checking[.]hta\r\nhxxps://asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta\r\nhxxp://83[.]97[.]20[.]81/win/checking[.]hta\r\nhxxp://83[.]97[.]20[.]81/win/update[.]hta\r\nhxxps://asd[.]s7610rir[.]pw/win/checking[.]hta\r\nhxxps://asq[.]r77vh0[.]pw/win/hssl/r7[.]hta\r\nhxxp://asq[.]r77vh0[.]pw/win/checking[.]hta\r\nhxxp://5[.]188[.]86[.]237/vmware[.]exe\r\nComputed\r\njava.exe\r\nmd5: 9e88c287eb376f3c319a5cb13f980d36\r\nsha1: 501af977080d56a55ff0aeba66b58e7f3d1404ea\r\nsha256: 74b6d14e35ff51fe47e169e76b4732b9f157cd7e537a2ca587c58dbdb15c624f\r\nvmware.exe\r\nmd5: 7b68bc3dd393c2e5273f180e361f178a\r\nsha1: 07610f11d3b8ccb7b60cc8ad033dda6c7d3940c4\r\nsha256: d4f4069b1c40a5b27ba0bc15c09dceb7035d054a022bb5d558850edfba0b9534\r\nWinRing0x64.sys\r\nmd5: 0c0195c48b6b8582fa6f6373032118da\r\nsha1: d25340ae8e92a6d29f599fef426a2bc1b5217299\r\nsha256: 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5\r\ndel.ps1\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 21 of 25\n\nmd5: bfd36fd6a20ccd39f5c3bb64a5c5dd8b\r\nsha1: e938646862477e598fcda20d0b7551863f8b651c\r\nsha256: 35b95496b243541d5ad3667f4aabe2ed00066ba8b69b82f10dd1186872ce4be2\r\nchecking.ps1\r\nmd5: 08bdf000031bbad1a836381f73adace5\r\nsha1: 3dff4ae3c421c9143978f8fc9499dca4aed0eac5\r\nsha256: f955eeb3a464685eaac96744964134e49e849a03fc910454faaff2109c378b0b\r\nInvoke-PowerDump.ps1\r\nmd5: 42a80cc2333b612b63a859f17474c9af\r\nsha1: e7be97fb2200eb99805e39513304739a7a28b17e\r\nsha256: 3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0\r\nDetections\r\nNetwork\r\nET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\r\nET INFO Executable Download from dotted-quad Host\r\nET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download\r\nET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2\r\nET MALWARE Successful Cobalt Strike Shellcode Download (x64) M2\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET HUNTING Generic Powershell DownloadFile Command\r\nET HUNTING Generic Powershell DownloadString Command\r\nET HUNTING Generic Powershell Launching Hidden Window\r\nET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\r\nET INFO Executable Download from dotted-quad Host\r\nET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download\r\nET INFO PS1 Powershell File Request\r\nET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1\r\nET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2\r\nET INFO PowerShell DownloadFile Command Common In Powershell Stagers\r\nET INFO PowerShell DownloadString Command Common In Powershell Stagers\r\nET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2\r\nET INFO PowerShell NoProfile Command Received In Powershell Stagers\r\nET INFO PowerShell NonInteractive Command Common In Powershell Stagers\r\nET INFO Powershell Base64 Decode Command Inbound\r\nET MALWARE JS/Nemucod requesting EXE payload 2016-02-01\r\nET MALWARE JS/Nemucod.M.gen downloading EXE payload\r\nETPRO MALWARE Likely Evil Request for Invoke-Mimikatz\r\nETPRO MALWARE PS/Deathhm Script Inbound via HTTP\r\nET DNS Query to a *.pw domain - Likely Hostile\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 22 of 25\n\nSigma\r\nSearch rules on detection.fyi or sigmasearchengine.com\r\nSigma Repo:\r\nSuspicious Scheduled Task Creation - 3a734d25-df5c-4b99-8034-af1ddb5883a4\r\nPowerShell Scripts Installed as Services - a2e5019d-a658-4c6a-92bf-7197b54e2cae\r\nPotentially Suspicious AccessMask Requested From LSASS - 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76\r\nPowershell Defender Disable Scan Feature - 1ec65a5f-9473-4f12-97da-622044d6df21\r\nWindows Defender Exclusions Added - 1321dc4e-a1fe-481d-a016-52c45f0c8b4f\r\nCobaltStrike Service Installations System - 5a105d34-05fc-401e-8553-272b45c1522d\r\nCobaltStrike Service Installations in Registry - 61a7697c-cb79-42a8-a2ff-5f0cdfae0130\r\nSuspicious Child Process Of SQL Server - 869b9ca7-9ea2-4a5a-8325-e80e62f75445\r\nWhoami.EXE Execution Anomaly - 8de1cbe8-d6f5-496d-8237-5f44a721c7a0\r\nMalicious PowerShell Commandlets PoshModule - 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c\r\nMalicious PowerShell Commandlets ScriptBlock - 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6\r\nPowerShell Base64 Encoded IEX Cmdlet - 88f680b8-070e-402c-ae11-d2914f2257f1\r\nMSSQL Server Failed Logon - 218d2855-2bba-4f61-9c85-81d0ea63ac71\r\nMSSQL XPCmdshell Suspicious Execution - 7f103213-a04e-4d59-8261-213dddf22314\r\nMSSQL XPCmdshell Option Change - d08dd86f-681e-4a00-a92c-1db218754417\r\nMSSQL Server Failed Logon From External Network - ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d\r\nVulnerable WinRing0 Driver Load - 1a42dfa6-6cb2-4df9-9b48-295be477e835\r\nYara\r\nhttps://github.com/The-DFIR-Report/Yara-Rules/blob/main/19208/19208.yar\r\nMITRE\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 23 of 25\n\nValid Accounts - T1078\r\nBrute Force - T1110\r\nScheduled Task - T1053.005\r\nWindows Command Shell - T1059.003\r\nPowerShell - T1059.001\r\nDisable or Modify Tools - T1562.001\r\nProcess Injection - T1055\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 24 of 25\n\nLSASS Memory - T1003.001\r\nSystem Owner/User Discovery - T1033\r\nNetwork Share Discovery - T1135\r\nData Encrypted for Impact - T1486\r\nSMB/Windows Admin Shares - T1021.002\r\nWeb Protocols - T1071.001\r\nService Execution - T1569.002\r\nModify Registry - T1112\r\nObfuscated Files or Information - T1027\r\nWindows Service - T1543.003\r\nMasquerade Task or Service - T1036.004\r\nInternal case #19208\r\nSource: https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nhttps://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/\r\nPage 25 of 25",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2023/12/04/sql-brute-force-leads-to-bluesky-ransomware/"
	],
	"report_names": [
		"sql-brute-force-leads-to-bluesky-ransomware"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775438997,
	"ts_updated_at": 1775826776,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/139649973edbf0461f5f96b523106acef4407105.pdf",
		"text": "https://archive.orkl.eu/139649973edbf0461f5f96b523106acef4407105.txt",
		"img": "https://archive.orkl.eu/139649973edbf0461f5f96b523106acef4407105.jpg"
	}
}