{
	"id": "cb6a35fd-ede2-4d90-810d-282738cb7b4d",
	"created_at": "2026-04-06T00:18:59.145312Z",
	"updated_at": "2026-04-10T03:21:08.060544Z",
	"deleted_at": null,
	"sha1_hash": "71075ae026e71c5a64fdef54478f66d64aa8e901",
	"title": "April 2021 Forensic Quiz: Answers and Analysis - SANS ISC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3678743,
	"plain_text": "April 2021 Forensic Quiz: Answers and Analysis - SANS ISC\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 23:42:44 UTC\r\nIntroduction\r\nThanks to everyone who participated in our forensic quiz originally posted on April 1st, 2021.  We received 22\r\nsubmissions through our contact page, and two people had all the correct answers.  Unfortunately, we can only\r\npick one winner for the contest.  In this case, our winner was the first to submit the correct information.  Join us in\r\ncongratulating this month's winner, Alex Rodriguez-Vargas!  Alex will receive this month's prize: a Raspberry Pi 4\r\nkit.\r\nSeveral people came close and almost had everything.  This exercise required reviewing both the pcap and\r\nmalware recovered from the infected Windows host.  You can still find the pcap and malware here.\r\nThe pcap of infection traffic for this quiz was generated from a spreadsheet retrieved when I recorded this Youtube\r\nvideo.  The pcap in this month's quiz starts during HTTPS traffic to the \"unsubscribe\" page seen in the video.\r\nShown above:  Pcap from this quiz filtered in Wireshark, and a list of the malware/artifacts.\r\nhttps://isc.sans.edu/diary/27308\r\nPage 1 of 8\n\nAnswers\r\nIP address of the infected Windows computer:\r\n192.168.5.125\r\nHost name of the infected Windows computer:\r\nLAPTOP-X9NAQ2EU\r\nUser account name on the infected Windows computer:\r\nwilmer.coughlin\r\nDate and time the infection activity began in UTC (the GMT or Zulu timezone):\r\n2021-03-29 at 22:18 UTC\r\nNOTE: The infection activity could be considered as early as 22:15 UTC which is when the malicious\r\ndomain gtmers[.]xyz appears.  Or it could be considered as late as 22:22 UTC, which is when the\r\nspreadsheet macro successfully downloaded a malicious EXE for BazarLoader.\r\nThe family or families of malware on the infected computer:\r\nBazaLoader (BazarLoader)\r\nCobalt Strike\r\nAnchor\r\nTo help in your analysis of this activity, please review the Prerequisites section in our original blog for this quiz.\r\nBazaLoader (BazarLoader) Activity\r\nFrom the malware archive in the Downloads directory under wilmer.coughlin, there is an Excel spreadsheet\r\nnamed subscription_1617056233.xlsb.  This spreadsheet has malicious macros.  I submitted it to the Triage\r\nHatching sandbox, and it generated the following traffic:\r\nhxxp://veso2[.]xyz/campo/r/r1\r\nIn the pcap, this URL caused a redirect.  First it redirected to:\r\nhxxp://admin.youglessindia[.]in/theme/js/plugins/rt3ret3.exe\r\nBut that follow-up URL did not return any malware.  This happened while I was still recording the Youtube\r\nvideo.  At the video's 10 minute mark, I enable macros on the malicious spreadsheet, but nothing apparently\r\nhappened.  So the call center operator had me re-open the spreadsheet and enable macros again.  That second time,\r\nthe campo URL redirected to:\r\nhxxp://veso2[.]xyz/uploads/files/rt3ret3.exe\r\nhttps://isc.sans.edu/diary/27308\r\nPage 2 of 8\n\nThe above URL returned a Windows executable (EXE) file.  This EXE from the pcap has the same SHA256 hash\r\nas the file located in our malware archive at:\r\nProgramData\\huqvg\\huqvg.exe\r\nOf note, opening the spreadsheet and enabling macros generated the following artifacts:\r\nUsers\\Public\\4123.do1\r\nUsers\\Public\\4123.xlsb\r\nUsers\\Public\\4123.xsg\r\nTraffic caused by BazaLoader (BazarLoader) in this pcap is:\r\n176.111.174[.]53 port 80 - veso2[.]xyz - POST /campo/r/r1\r\n104.21.74[.]174 port 80 - admin.youglessindia[.]in - POST /theme/js/plugins/rt3ret3.exe\r\n176.111.174[.]53 port 80 - veso2[.]xyz - POST /uploads/files/rt3ret3.exe\r\n54.184.119[.]29 port 443 - HTTPS traffic\r\n184.72.1[.]208 port 443 - HTTPS traffic\r\nport 80 - api.ip[.]sb - GET /ip\r\nOf note, the last entry above is an IP address check by the infected Windows host.  I don't normally see that with\r\nBazaLoader activity, but I could not positively attibute it to any of the other malware activity in this pcap.\r\nShown above:  Some of the BazaLoader traffic from this infection.\r\nCobalt Strike Activity\r\nCobalt Strike was sent through encrypted HTTPS traffic generated by BazaLoader.  A DLL for Cobalt Strike was\r\nsaved to the infected host at:\r\nhttps://isc.sans.edu/diary/27308\r\nPage 3 of 8\n\nC:\\Users\\wilmer.coughlin\\AppData\\Local\\Temp\\C618.tmp.dll\r\nThe run method for the above Cobalt Strike DLL is:\r\nrundll32.exe [filename],lowslow\r\nThis generated the following Cobalt Strike traffic:\r\n217.12.218[.]46 port 80 - 217.12.218[.]46 - GET /YPbR\r\n217.12.218[.]46 port 80 - onedrive.live[.]com - GET /preload?manifest=wac\r\n217.12.218[.]46 port 80 - onedrive.live[.]com - GET /sa\r\nThere were a great deal of HTTP requests generated by the Cobalt Strike, about 40 to 60 HTTP requests every\r\nminute.  Of note, the domain onedrive.live[.]com does not resolve to 217.12.218[.]46, which means this is a\r\ndeception intentionally generated by the malware.  During the Cobalt Strike traffic, seven HTTP requests to\r\ncheckip.amazonaws[.]com appear as the infected Windows host periodically checks its IP address.\r\nShown above:  Start of Cobalt Strike activity in the pcap.\r\nAnchor Activity\r\nAnchor DNS malware uses DNS queries to stealthily communicate to C2 servers.  Our pcap contains DNS\r\nactivity that follows patterns reported for Anchor.  The associated domains are:\r\nsluaknhbsoe[.]com\r\nxyskencevli[.]com\r\nhttps://isc.sans.edu/diary/27308\r\nPage 4 of 8\n\nThe domain xyskencevli[.]com did not resolve, but sluaknhbsoe[.]com did.  The pcap contains several DNS\r\nqueries with long strings for sub-domain of sluaknhbsoe[.]com.\r\nShown above:  DNS traffic caused by Anchor DNS malware.\r\nThis type of DNS tunneling does not rely on direct contact with the the C2 domain.  Malware families like Anchor\r\nuse this method to disguise tunneling from an Windows infected host.  However, we can easily spot the unusual\r\nDNS queries from the pcap.\r\nOf note, the following binaries are included in the malware archive:\r\nWindows\\Temp\\adf\\anchor_x64.exe\r\nWindows\\Temp\\adf\\anchorAsjuster_x64.exe\r\nWindows\\Temp\\adf\\anchorDNS_x64.exe\r\nThe malware archive also contains a scheduled task at:\r\nWindows\\System32\\Tasks\\Sun SvcRestartTask#32640\r\nThis shows a task to run the following command:\r\nWindows\\Temp\\adf\\anchorDNS_x64.exe -s\r\nThe task is designed to keep Anchor DNS malware persistent on the infected Windows host.\r\nhttps://isc.sans.edu/diary/27308\r\nPage 5 of 8\n\nShown above:  Scheduled task for Anchor malware.\r\nIndicators of Compromise (IOCs)\r\nSHA256 hash: ae6dbc08e0e21b217352175f916cfd5269c4fd8d5de6bff2d0a93a366f78e8d1\r\nFile size: 181,413 bytes\r\nFile name: subscription_1617056233.xlsb\r\nFile description: Spreadsheet with macros for BazaLoader (BazarLoader)\r\nSHA256 hash: 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b\r\nFile size: 242,176 bytes\r\nFile location: hxxp://veso2[.]xyz/uploads/files/rt3ret3.exe\r\nFile location: C:\\ProgramData\\huqvg\\huqvg.exe\r\nFile description: EXE for BazaLoader (BazarLoader)\r\nSHA256 hash: cc74f7e82eb33a14ffdea343a8975d8a81be151ffcb753cb3f3be10242c8a252\r\nFile size: 299,520 bytes\r\nFile location: C:\\Users\\wilmer.coughlin\\AppData\\Local\\Temp\\C618.tmp.dll\r\nFile description: DLL for Cobalt Strike\r\nRun method: rundll32.exe [filename],lowslow\r\nSHA256 hash: 3ab8a1ee10bd1b720e1c8a8795e78cdc09fec73a6bb91526c0ccd2dc2cfbc28d\r\nFile size: 251,904 bytes\r\nFile location: C:\\Windows\\Temp\\adf\\anchorAsjuster_x64.exe\r\nFile description: Anchor malware EXE (1 of 3)\r\nNote: This is not inherently malicious on its own, but can be used to run the other two Anchor files.\r\nhttps://isc.sans.edu/diary/27308\r\nPage 6 of 8\n\nSHA256 hash: a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634\r\nFile size: 347,648 bytes\r\nFile location: C:\\Windows\\Temp\\adf\\anchor_x64.exe\r\nFile description: Anchor malware EXE (2 of 3)\r\nSHA256 hash: 9fdbd76141ec43b6867f091a2dca503edb2a85e4b98a4500611f5fe484109513\r\nFile size: 347,648 bytes\r\nFile location: C:\\Windows\\Temp\\adf\\anchorDNS_x64.exe\r\nFile description: Anchor malware EXE (3 of 3)\r\nHTTPS traffic that returned malicious spreadsheet:\r\n8.209.100[.]246 port 443 - gtmers[.]xyz\r\nBazaLoader traffic:\r\n176.111.174[.]53 port 80 - veso2[.]xyz - POST /campo/r/r1\r\n104.21.74[.]174 port 80 - admin.yougleeindia[.]in - POST /theme/js/plugins/rt3ret3.exe\r\n176.111.174[.]53 port 80 - veso2[.]xyz - POST /uploads/files/rt3ret3.exe\r\n54.184.119[.]29 port 443 - HTTPS traffic caused by BazaLoader (BazarLoader)\r\n184.72.1[.]208 port 443 - HTTPS traffic caused by BazaLoader (BazarLoader)\r\nIP address checks by the infected Windows host:\r\nport 80 - api.ip[.]sb - GET /ip\r\nport 80 - checkip.amazonaws[.]com - GET /\r\nCobalt Strike traffic:\r\n217.12.218[.]46 port 80 - 217.12.218[.]46 - GET /YPbR\r\n217.12.218[.]46 port 80 - onedrive.live[.]com - GET /preload?manifest=wac\r\n217.12.218[.]46 port 80 - onedrive.live[.]com - GET /sa\r\nDomains used by Anchor malware:\r\nsluaknhbsoe[.]com\r\nxyskencevli[.]com\r\nFinal words\r\nAnother case of type of infection, one where BazaLoader leads to Cobalt Strike and Anchor, was reported here last\r\nmonth.  It even reports the same domains used by Anchor DNS that we see in this month's quiz.\r\nThanks to all who participated, and congratulations again to Alex Rodriguez-Vargas for winning this month's\r\ncontest!\r\nYou can still find the pcap and malware here.\r\nhttps://isc.sans.edu/diary/27308\r\nPage 7 of 8\n\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/27308\r\nhttps://isc.sans.edu/diary/27308\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/27308"
	],
	"report_names": [
		"27308"
	],
	"threat_actors": [],
	"ts_created_at": 1775434739,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/71075ae026e71c5a64fdef54478f66d64aa8e901.pdf",
		"text": "https://archive.orkl.eu/71075ae026e71c5a64fdef54478f66d64aa8e901.txt",
		"img": "https://archive.orkl.eu/71075ae026e71c5a64fdef54478f66d64aa8e901.jpg"
	}
}