{
	"id": "47c18e81-ed1e-48be-ba0c-e767e01de426",
	"created_at": "2026-04-06T00:15:30.343453Z",
	"updated_at": "2026-04-10T03:20:28.633758Z",
	"deleted_at": null,
	"sha1_hash": "476b03b0c91dbbdceefb1567f94c989c073685fc",
	"title": "BazarLoader to Conti Ransomware in 32 Hours",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1192323,
	"plain_text": "BazarLoader to Conti Ransomware in 32 Hours\r\nBy editor\r\nPublished: 2021-09-13 · Archived: 2026-04-02 11:42:06 UTC\r\nIntro\r\nConti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware\r\nransomware report. The groups deploying this RaaS have only grown more prevalent. Despite the group having\r\nit’s affiliate guide leaked, which revealed many techniques already covered in previous reports, the group’s using\r\nthe ransomware are unlikely to let up any time soon.\r\nIn July we witnessed a BazarLoader campaign that deployed Cobalt Strike and ended with domain wide\r\nencryption using Conti ransomware.\r\nCase Summary\r\nBazarLoader has continued to be one of the preeminent initial access brokers for ransomware threat actor access.\r\nFor this intrusion we don’t know the initial campaign that deployed the malware but based on previous\r\ninformation, we can assess with high confidence that the delivery vector was a malicious email campaign. At the\r\ntime of the intrusion, the group was favoring zip attachments with malicious javascript files to download the\r\nBazarLoader malware. However BazarLoader has also been used with Word and Excel documents as well.\r\nIn this case we observed the initial activity beginning with a BazarLoader DLL. Upon initial execution on the\r\nbeachhead, the malware made an initial connection to command and control, and then a few minutes later it\r\nperformed discovery tasks on the host using Microsoft utilities like Net and Nltest to discover the domain and\r\nusers of interest. like domain administrators. After this activity, the host went quiet for about one hour before\r\ndownloading and executing a Cobalt Strike beacon DLL.\r\nThe threat actors used Cobalt Strike to run additional discovery tasks using Microsoft utilities like net, ping,\r\nsysteminfo, and taskmanager. The threat actors then began using pass the hash with various accounts which\r\ncontinued several times throughout the intrusion. To see what machines were active in the environment, the threat\r\nactors scanned the network for SMB.\r\nAround two and a half hours into the intrusion the threat actors began lateral movement. Lateral movement began\r\nby the threat actor transferring an executable to a remote system and then executing it using wmic. This was the\r\nprimary lateral movement option favored by the threat actor, however PowerShell Cobalt Strike beacons, service\r\nexecutable Cobalt Strike beacons, and RDP were all used, but less commonly. Once on remote systems the threat\r\nactor used Cobalt Strike to dump lsass memory for further credentials.\r\nAfter this phase completed, the threat actor’s activity faded but the Cobalt Strike continued to beacon out to the\r\nC2 server. About 12 hours later the threat actors became active again. From the domain controller the threat actors\r\ncontinued further lateral movement to more servers in the environment. They also continued further discovery\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 1 of 23\n\nactivity running PowerShell scripts to discover the disk utilization of hosts, review user last login time per host,\r\nassess the installed anti-virus software, and track which hosts were online for the threat actors to target.\r\nWhen the threat actors identified the file server, their method for data exfiltration was straightforward to a fault.\r\nThey downloaded WinSCP from the project website, installed it on the file server and proceeded to exfiltrate data\r\nfrom the server using SCP to a VPS host they controlled in Romania.\r\nAround 31 hours after initial access to the environment, the threat actors felt they were ready to complete their\r\nfinal objectives. RDP activity was seen from several hosts and an executable named test.exe was transferred to\r\nseveral endpoints. This test file was the Conti ransomware executable, and the threat actors decided to test in a\r\ncontrolled manner before running the full domain ransomware deployment. Like before, these “unit tests,” were\r\nperformed using wmic to execute the files remotely on the endpoints.\r\nThe threat actors must have confirmed quickly that their tests were successful as within minutes they dropped\r\ntest.exe renamed to backup.exe on two servers in the environment and executed manually via their RDP sessions.\r\nWhen executed in this manner the ransomware mounts all remote C$ drives in the local network and proceeds to\r\nencrypt the contents over the SMB connection. At this point, the Time to Ransom (TTR) for the threat actors was\r\njust shy of 32 hours since initial access.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such\r\nas Cobalt Strike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can\r\nbe found here. The Cobalt Strike server used in this intrusion was added to our Threat Feed on 07/01/2021.\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs\r\nincluding Sysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 2 of 23\n\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 3 of 23\n\nAnalysis and reporting completed by @ICSNick and @MetallicHack\r\nReviewed by @V3T0_ and @THIR_Sec\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nIn this case we did not observe the initial delivery for the malware. BazarLoader however tends to arrive in an\r\nenvironment via malicious email campaigns and in a few cases its been reported via call centers social engineering\r\nusers to load the malware. Seeing that this starts with a DLL file it is more likely that this was related to an email\r\ncampaign using malicious zipped Javascript files.\r\nExecution\r\nInitial execution occurred via the Bazarloader DLL being executed by rundll32.\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 4 of 23\n\nAbout an hour after the initial execution on the beachhead, a Cobalt Strike beacon was executed also with\r\nrundll32.\r\nPrivilege Escalation\r\nThe threat actors made use of pass the hash techniques to try to escalate privileges during the intrusion. Various\r\naccounts were targeted including a Guest account initially.\r\n\"An account was successfully logged on.\r\nSubject:\r\n Security ID: S-1-5-21-********\r\n Account Name: USER\r\n Account Domain: DOMAIN\r\n Logon ID: 0x1296D94\r\nLogon Information:\r\n Logon Type: 9\r\n Restricted Admin Mode: -\r\n Virtual Account: No\r\n Elevated Token: No\r\nImpersonation Level: Impersonation\r\nNew Logon:\r\n Security ID: S-1-5-21-*******\r\n Account Name: USER\r\n Account Domain: DOMAIN\r\n Logon ID: 0x173D205\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 5 of 23\n\nLinked Logon ID: 0x0\r\n Network Account Name: Guest\r\n Network Account Domain: .\r\n Logon GUID: {00000000-0000-0000-0000-000000000000}\r\nProcess Information:\r\n Process ID: 0x68c\r\n Process Name: C:\\Windows\\System32\\svchost.exe\r\nNetwork Information:\r\n Workstation Name: -\r\n Source Network Address: ::1\r\n Source Port: 0\r\nDetailed Authentication Information:\r\n Logon Process: seclogo\r\n Authentication Package: Negotiate\r\n Transited Services: -\r\n Package Name (NTLM only): -\r\n Key Length: 0\r\nProcess injection was seen from the Cobalt Strike beacon into a svchost process running with System level\r\nprivilege.\r\n\"CreateRemoteThread detected:\r\nRuleName: technique_id=T1055,technique_name=Process Injection\r\nUtcTime: ***\r\nSourceProcessGuid: {1227cce3-2e6a-60de-f909-000000000700}\r\nSourceProcessId: 8924\r\nSourceImage: C:\\Windows\\System32\\rundll32.exe\r\nTargetProcessGuid: {1227cce3-2032-60de-5c08-000000000700}\r\nTargetProcessId: 6192\r\nTargetImage: C:\\Windows\\System32\\svchost.exe\r\nNewThreadId: 8916\r\nStartAddress: 0x00000243EFCA0002\r\nStartModule: -\r\nStartFunction: -\"\r\nDefense Evasion\r\nWhile in the environment they injected Cobalt Strike beacons into many processes.\r\nProcesses with CS beacon injected or running\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 6 of 23\n\n.Pid .ProcessName .CommandLine\r\n4076 svchost.exe C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\r\n2428 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}\r\n576 winlogon.exe winlogon.exe\r\n560 winlogon.exe winlogon.exe\r\n4024 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}\r\n3408 explorer.exe C:\\Windows\\Explorer.EXE\r\n560 winlogon.exe winlogon.exe\r\n2340 explorer.exe C:\\Windows\\Explorer.EXE\r\n4156 dllhost.exe C:\\Windows\\syswow64\\dllhost.exe\r\n4240 cmd.exe C:\\Windows\\system32\\cmd.exe /C time\r\n4216 winlogon.exe winlogon.exe\r\n2516 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}\r\n1828 explorer.exe C:\\Windows\\Explorer.EXE\r\n5128 dllhost.exe C:\\Windows\\syswow64\\dllhost.exe\r\n3208 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}\r\n6192 svchost.exe\r\nC:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup -s\r\nWpnUserService\r\n8400 explorer.exe C:\\Windows\\Explorer.EXE\r\n3796 SecurityHealthSystray.exe “C:\\Windows\\System32\\SecurityHealthSystray.exe”\r\n8924 rundll32.exe\r\nrundll32.exe\r\nC:\\Users\\USER\\AppData\\Local\\Temp\\7A86.dll,DllRegisterServer\r\n5284 dllhost.exe C:\\Windows\\system32\\dllhost.exe\r\n504 svchost.exe C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup\r\n3252 taskhostw.exe taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}\r\n656 winlogon.exe winlogon.exe\r\n5656 explorer.exe C:\\Windows\\Explorer.EXE\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 7 of 23\n\n5964 svchost.exe\r\nC:\\Windows\\system32\\svchost.exe -k ClipboardSvcGroup -p -s\r\ncbdhsvc\r\nCredential Access\r\nThe threat actors were seen dumping credentials out of lsass memory across the domain.\r\nDiscovery\r\nThe BazarLoader malware on the beachhead began discovery actions around 20 minutes after the initial execution.\r\nThe discovery commands utilize the familiar built in Microsoft utilities.\r\nnltest /domain_trusts /all_trusts\r\nnet localgroup \"administrator\"\r\nnet group \"domain admins\" /dom\r\nC:\\Windows\\system32\\net1 group \"domain admins\" /dom\r\nThe Cobalt Strike beacon ran additional discovery tasks on the beachhead. Again built in Microsoft utilities were\r\nutilized.\r\nC:\\Windows\\system32\\cmd.exe /C systeminfo\r\nC:\\Windows\\system32\\cmd.exe /C ping DOMAINCONTROLLER\r\nC:\\Windows\\system32\\cmd.exe /C ping ENDPOINT\r\nC:\\Windows\\system32\\cmd.exe /C net localgroup Administrators\r\nC:\\Windows\\System32\\Taskmgr.exe\r\nThroughout the intrusion the threat actor checked the time of systems with:\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 8 of 23\n\nC:\\Windows\\system32\\cmd.exe /C time\r\nFrom an svchost process injected with a Cobalt Strike beacon, SMB scanning was performed across the\r\nenvironment.\r\nFrom the domain controller the threat actor ran an encoded PowerShell command to review the size and condition\r\nof hard drives across the environment.\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\npowershell -nop -exec bypass -EncodedCommand SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbAB\r\nDecoded:\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:33242/'); Get-WmiObject -Class win32_logicalDis\r\nPowersploit modules like Get-NetComputer were seen used by the threat actor from the domain controller\r\nIEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:36595/'); Get-NetComputer -ping -operatingsyste\r\nThe script Get-DataInfo.ps1, which has been used in many intrusions this past year, was also employed. This file\r\nwas started by the use of start.bat, which has been seen paired with this script repeatedly.\r\nC:\\Windows\\system32\\cmd.exe /c \"C:\\\\Users\\\\info\\\\start.bat\"\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 9 of 23\n\npowershell.exe -executionpolicy remotesigned -File .\\Get-DataInfo.ps1 method\r\nThe contents of Get-DataInfo.ps1 provide the threat actor with very specific details of the environment. This\r\nincludes things like disk size, connectivity, antivirus software, and backup software.\r\nThis script was first reported used by threat actors deploying the Ryuk ransomware strain.\r\nThe Microsoft Active Directory PowerShell module was also imported and used for discovery tasks.\r\nGet-ADComputer -Filter {enabled -eq $true} -properties *|select Name, DNSHostName, OperatingSystem, LastLogonDa\r\nLateral Movement\r\nFor lateral movement the threat actors relied heavily on copying executable files over SMB and then executing\r\nthem via remote WMIC calls\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 10 of 23\n\nC:\\Windows\\system32\\cmd.exe /C wmic /node:\"DOMAINCONTROLLER\" process call create \"C:\\3.exe\"\r\nWhile executables and wmic were the preferred options for the threat actor, they did employ several other\r\ntechniques.\r\nRemote Cobalt Strike beacons were started with services and PowerShell several times in the environment.\r\nDuring the final stages the threat actor used RDP to move between a few servers as part of their final actions.\r\nAt that time, a Cobalt Strike beacon executable was executed as a service on a remote host for testing the final\r\nransom deployment.\r\nCommand and Control\r\nBazarLoader:\r\n34.219.130.241:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCertificate: [ff:5f:80:d9:5b:9b:b1:d7:2e:49:c7:96:87:8e:7d:76:6e:67:e3:94 ]\r\nNot Before: 2021/06/28 07:41:39 UTC\r\nNot After 2022/06/28 07:41:39 UTC\r\nIssuer Org NN Fern\r\nSubject Common forenzik.kz\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 11 of 23\n\nSubject Org NN Fern\r\nPublic Algorithm rsaEncryption\r\n13.56.161.214:443\r\nJA3: 72a589da586844d7f0818ce684948eea\r\nJA3s: e35df3e00ca4ef31d42b34bebaa2f86e\r\nCertificate:[d9:80:5b:d4:7a:40:21:54:ec:10:49:d4:ee:38:57:e2:2b:b8:25:f2]\r\nNot Before: 2021/06/28 07:54:14 UTC\r\nNot After: 2022/06/28 07:54:14 UTC\r\nIssuer Org: NN Fern\r\nSubject Common: forenzik.kz\r\nSubject Org: NN Fern\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike:\r\nsammitng.com (162.244.83.216) – This Cobalt Strike server was added to our Threat Feed on 07/01/2021.\r\nThis server was seen communicating with multiple internal systems:\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 12 of 23\n\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [07:6f:84:54:eb:a9:26:a6:c8:4b:fd:e8:0e:95:e0:a6:62:b2:01:ae]\r\nNot Before: 2021/06/25 05:11:41 UTC\r\nNot After: 2021/09/23 05:11:40 UTC\r\nIssuer Org: Let's Encrypt\r\nSubject Common: sammitng.com [sammitng.com ,www.sammitng.com ]\r\nPublic Algorithm: rsaEncryption\r\n{\r\n \"x86\": {\r\n \"sha1\": \"6a31edc3e73957bb25e51abfd4efb4fd5eb51dbc\",\r\n \"time\": 1625176656098.3,\r\n \"md5\": \"29154f55df2171ccfe6316a77496d451\",\r\n \"sha256\": \"c867fbc963c6975918f6744e196e0cc648777c7252ca740254e6eed9918c6fd1\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Polling\": 5000,\r\n \"Port\": 80,\r\n \"Jitter\": 10,\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"162.244.83.216,/jquery-3.3.1.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n }\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 13 of 23\n\n},\r\n \"x64\": {\r\n \"sha1\": \"856366815cac27775b944a236ad3a6f523a4136d\",\r\n \"time\": 1625176667352.5,\r\n \"md5\": \"b656845e2755920db24364b42ce2ea18\",\r\n \"sha256\": \"5c649554d9ea77e98dbf0df0d4010255075c6c5324fc7526c667a180c06a050a\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Polling\": 5000,\r\n \"Port\": 80,\r\n \"Jitter\": 10,\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"162.244.83.216,/jquery-3.3.1.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n }\r\n }\r\n}\r\n{\r\n \"x86\": {\r\n \"sha1\": \"c07dbec39149a3bb20a54b9eeb2e453a7c5bdd2f\",\r\n \"time\": 1625176651726.3,\r\n \"md5\": \"a5daabadee5233ad9941b39e39f6ce7b\",\r\n \"sha256\": \"bea4dcabc10ad8b7ef79579a1c511ec42cb98ddd1cf607a5a5ee369b28aa144b\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Polling\": 5000,\r\n \"Port\": 443,\r\n \"Jitter\": 10,\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"sammitng.com,/jquery-3.3.1.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n }\r\n },\r\n \"x64\": {\r\n \"sha1\": \"7ed8d5a2e09d48ccb84d790abfa7a1556b9d4990\",\r\n \"time\": 1625176660366.2,\r\n \"md5\": \"72296b01b37d6baefaecbc5bdecfadb6\",\r\n \"sha256\": \"31f8ad3f818ef0635109cecfff8f2e03f5e47a9a62a2fe548bc10393e3318d4f\",\r\n \"config\": {\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost.exe\",\r\n \"Polling\": 5000,\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 14 of 23\n\n\"Port\": 443,\r\n \"Jitter\": 10,\r\n \"HTTP Method Path 2\": \"/jquery-3.3.2.min.js\",\r\n \"Method 2\": \"POST\",\r\n \"C2 Server\": \"sammitng.com,/jquery-3.3.1.min.js\",\r\n \"Method 1\": \"GET\",\r\n \"Beacon Type\": \"8 (HTTPS)\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost.exe\"\r\n }\r\n }\r\n}\r\nIn addition to these command and control methods, one more network anomaly was observed. This was not used\r\nfor primary command and control and the amount of data sent was small so we do not know the full intentions of\r\nthe activity but several critical systems like domain controllers and file servers made connections to TOR nodes\r\ninitiated by the threat actors.\r\nExfiltration\r\nThe threat actor on the second day of the intrusion downloaded WinSCP to the file server and proceeded to install\r\nthe program there.\r\nC:\\Users\\REDACTED\\AppData\\Local\\Temp\\1\\is-HCFKT.tmp\\WinSCP-5.19.1-Setup.tmp\" /SL5=\"$A02B0,10288106,864256,C:\\Us\r\nThe threat actor then proceeded to connect over port 22 to a server in Romania.\r\nAs the traffic was encrypted we can’t conclusively determine what data was exfiltrated. However we can infer that\r\nthe choice to deploy on the file server was due to the data present and ease to move the data.\r\nAnother data point is that following the exfiltration canary documents present in the shares reported in as being\r\nopened from an IP on a Virtual Private Host provider in New York, USA.\r\nImpact\r\nDuring the overnight hours of the 2nd day the threat actors began moving on their final objectives. This included\r\ntesting their ransomware in the compromised environment before deploying across the domain.\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 15 of 23\n\nThey initiated RDP connections and a Cobalt Strike beacon executable file to a endpoint not yet interacted with by\r\nthe threat actors. The threat actor then transferred a Conti executable file to several endpoints named test.exe.\r\nThese test ransom files were then called remotely using wmic as seen in the previous lateral movement activity.\r\nC:\\Windows\\system32\\cmd.exe /C wmic /node:\"ENDPOINT\" process call create \"C:\\test.exe\"\r\nAfter testing on several endpoints, the threat actors dropped a renamed version of the file on several servers in the\r\nenvironment and executed by hand using their RDP session.\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 16 of 23\n\nWhen executed in this manner, the ransomware payload attempts to spread laterally over SMB.\r\nFrom there, the threat actors left the environment with this note and domain wide encryption completed about 32\r\nhours after the initial beachhead BazarLoader was executed.\r\nIOCs\r\nNetwork\r\n34.219.130.241|443\r\n13.56.161.214|443\r\n31.14.40.160|22\r\nsammitng.com\r\n162.244.83.216|80\r\nFile\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 17 of 23\n\n24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9.exe\r\n215e0accdf538d48a8a7bf79009e8f9b\r\n4ff45fb8003ab1075bdbbc9d044b7c31374f3cdb\r\n24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9\r\nbackup.exe\r\n4b566c684c1cfc980e14b968f15feb68\r\ne115f1be72f730bf3a7b7d9e2ec9e4b7b7a4b5e7\r\n7268dadee16e6ac6d618927c0061163505af6a591fae99fe207092f9d0e3cfd0\r\n7A86.dll\r\nabbbd0e30c4e66ad59518b9460dbcdfd\r\n981b2e54444d65e1104ab27d36d0ac9c6766478c\r\n9d63a34f83588e208cbd877ba4934d411d5273f64c98a43e56f8e7a45078275d\r\n162.244.83.216-cs.exe\r\n220007be6f16eb7300a99d0d84f83059\r\n38b0e925d7a3dae50585b2ee985904a7cdc0e47f\r\n82336da6be3130795a0f41a4f389b957e1d97633f8cb5e38ab40c8d62430b5a5\r\n3.exe\r\n0e2e8dfeec2168c2b3628ca2fb6c0736\r\nbf92ce7c065568c1b893c1ababa04eeffedadcca\r\n37b264e165e139c3071eb1d4f9594811f6b983d8f4b7ef1fe56ebf3d1f35ac89\r\nGet-DataInfo.ps1\r\n16cde93b441e4363700dfbf34c687b08\r\n092ac6f8d072c4cf045e35a839d5bb8f1360f1ae\r\na290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7\r\nstart.bat\r\n0ab5c442d5a202c213f8a2fe2151fc3f\r\na780085d758aa47bddd1e088390b3bcc0a3efc2e\r\n63de40c7382bbfe7639f51262544a3a62d0270d259e3423e24415c370dd77a60\r\nDetections\r\nNetwork\r\nET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)\r\nET MALWARE Observed Malicious SSL Cert (Bazar CnC)\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M2\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile Response\r\nET POLICY TLS possible TOR SSL traffic\r\nET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 234\r\nET HUNTING Possible Powershell .ps1 Script Use Over SMB\r\nET POLICY Possible WMI .mof Managed Object File Use Over SMB\r\nET POLICY SMB2 NT Create AndX Request For a .bat File\r\nET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement\r\nET POLICY SMB2 NT Create AndX Request For an Executable File\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 18 of 23\n\nET POLICY SMB2 NT Create AndX Request For a Powershell .ps1 File\r\nET SCAN Behavioral Unusual Port 135 traffic Potential Scan or Infection\r\nSigma\r\nCobaltStrike Service Installations\r\nSuspicious Remote Thread Created\r\nDomain Trust Discovery Quick Execution of a Series of Suspicious Commands\r\nPass the Hash Activity 2\r\nSuspicious WMI Execution\r\nSuccessful Overpass the Hash Attempt\r\nEncoded IEX\r\nYara\r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-09-01\r\nIdentifier: 5087\r\nReference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nrule case_5087_start_bat {\r\n meta:\r\n description = \"Files - file start.bat\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-30\"\r\n hash1 = \"63de40c7382bbfe7639f51262544a3a62d0270d259e3423e24415c370dd77a60\"\r\n strings:\r\n $x1 = \"powershell.exe Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force\" fullword ascii\r\n $x2 = \"powershell.exe -executionpolicy remotesigned -File .\\\\Get-DataInfo.ps1 %method\" fullword ascii\r\n $x3 = \"powershell.exe -executionpolicy remotesigned -File .\\\\Get-DataInfo.ps1 %1)\" fullword ascii\r\n $s4 = \"set /p method=\\\"Press Enter for collect [all]: \\\"\" fullword ascii\r\n $s5 = \"echo \\\"Please select a type of info collected:\\\"\" fullword ascii\r\n $s6 = \"echo \\\"all ping disk soft noping nocompress\\\"\" fullword ascii\r\n condition:\r\n filesize \u003c 1KB and all of them\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 19 of 23\n\n}\nrule case_5087_3 {\n meta:\n description = \"Files - file 3.exe\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2021-08-30\"\n hash1 = \"37b264e165e139c3071eb1d4f9594811f6b983d8f4b7ef1fe56ebf3d1f35ac89\"\n strings:\n $s1 = \"https://sectigo.com/CPS0\" fullword ascii\n $s2 = \"?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v\" fullword ascii\n $s3 = \"2http://crl.comodoca.com/AAACertificateServices.crl04\" fullword ascii\n $s4 = \"3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%\" fullword ascii\n $s5 = \" \" fullword ascii\n $s6 = \"http://ocsp.sectigo.com0\" fullword ascii\n $s7 = \"2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#\" fullword ascii\n $s8 = \"2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s\" fullword ascii\n $s9 = \"ealagi@aol.com0\" fullword ascii\n $s10 = \"bhfatmxx\" fullword ascii\n $s11 = \"orzynoxl\" fullword ascii\n $s12 = \" \" fullword ascii\n $s13 = \" \" fullword ascii\n $s14 = \" \" fullword ascii\n $s15 = \"O:\\\\-e%\" fullword ascii\n $s16 = \" \" fullword ascii\n $s17 = \" \" fullword ascii\n $s18 = \" \" fullword ascii\n $s19 = \" \" fullword ascii\n $s20 = \" \" fullword ascii\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 1000KB and 8 of them\n}\nrule case_5087_7A86 {\n meta:\n description = \"Files - file 7A86.dll\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2021-08-30\"\n hash1 = \"9d63a34f83588e208cbd877ba4934d411d5273f64c98a43e56f8e7a45078275d\"\n strings:\n $s1 = \"ibrndbiclw.dll\" fullword ascii\n $s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\n $s3 = \"Type Descriptor'\" fullword ascii\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\nPage 20 of 23\n\n$s4 = \"operator co_await\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 500KB and all of them\r\n}\r\n rule case_5087_24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9 {\r\n meta:\r\n description = \"Files - file 24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-08-30\"\r\n hash1 = \"24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9\"\r\n strings:\r\n $s1 = \"fbtwmjnrrovmd.dll\" fullword ascii\r\n $s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s3 = \" Type Descriptor'\" fullword ascii\r\n $s4 = \"operator co_await\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 900KB and all of them\r\n}\r\nMITRE\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 21 of 23\n\nPass the Hash – T1550.002\r\nProcess Injection – T1055\r\nPowerShell – T1059.001\r\nRemote System Discovery – T1018\r\nService Execution – T1569.002\r\nWindows Command Shell – T1059.003\r\nAccount Discovery – T1087\r\nDomain Trust Discovery – T1482\r\nSystem Information Discovery – T1082\r\nRemote Services – T1021\r\nWindows Management Instrumentation – T1047\r\nExfiltration Over Alternative Protocol – T1048\r\nRemote Desktop Protocol – T1021.001\r\nSMB/Windows Admin Shares – T1021.002\r\nData Encrypted for Impact – T1486\r\nSecurity Software Discovery – T1518.001\r\nQuery Registry – T1012\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 22 of 23\n\nInternal case # 5087\r\nSource: https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nhttps://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/"
	],
	"report_names": [
		"bazarloader-to-conti-ransomware-in-32-hours"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434530,
	"ts_updated_at": 1775791228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/476b03b0c91dbbdceefb1567f94c989c073685fc.pdf",
		"text": "https://archive.orkl.eu/476b03b0c91dbbdceefb1567f94c989c073685fc.txt",
		"img": "https://archive.orkl.eu/476b03b0c91dbbdceefb1567f94c989c073685fc.jpg"
	}
}