{
	"id": "cb5c7e70-d369-4172-9e17-52251e6103f4",
	"created_at": "2026-04-10T03:20:04.49568Z",
	"updated_at": "2026-04-10T13:12:23.484951Z",
	"deleted_at": null,
	"sha1_hash": "a0200b1812cdf7beb84e17c8a6a056f1799c38af",
	"title": "BazarCall to Conti Ransomware via Trickbot and Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2335522,
	"plain_text": "BazarCall to Conti Ransomware via Trickbot and Cobalt Strike\r\nBy editor\r\nPublished: 2021-08-01 · Archived: 2026-04-10 02:42:08 UTC\r\nIntro\r\nThis report will go through an intrusion that went from an Excel file to domain wide ransomware. The threat actors used\r\nBazarCall to install Trickbot in the environment which downloaded and executed a Cobalt Strike Beacon. From there the\r\nthreat actor discovered the internal network before moving laterally to a domain controller for additional discovery. A couple\r\ndays later, the threat actors came back and executed Conti ransomware across the domain.\r\nUnfamiliar with BazaCall/BazarCall? Read more here from @MsftSecIntel, @dreadphones, \u0026 @JCearbhall and here from\r\n@Unit42_Intel \u0026 @malware_traffic.\r\nSummary\r\nIn this intrusion, we observed a number of interesting techniques being leveraged by the threat actors. The threat actors were\r\nable to go from initial access to the deployment of Conti ransomware in a matter of hours. The Conti operators chose to wait\r\na couple days before ransoming the environment. Even though most of the techniques aren’t new or advanced, they have\r\nproven to be effective. We have observed the same techniques in other intrusions and understanding these techniques will\r\nallow defenders to disrupt such intrusion activity and deny it in their own networks. \r\nThe Trickbot payload came from a phishing campaign associated with BazarCall, delivering weaponized XLSB files. Upon\r\nexecution, certutil.exe was copied to %programdata% and renamed with random alphanumeric characters. Certutil was used\r\nto download and load the Trickbot DLL into memory. Trickbot was automatically tasked to inject into the wermgr.exe\r\nprocess and use its well-known “pwgrab” module to steal browser credentials. As part of further automated tasking, Trickbot\r\nperformed an initial reconnaissance of the environment using native Windows tools such as nltest.exe and net.exe. \r\nFirst hands-on activity was observed two hours after initial compromise, when Trickbot downloaded and executed Cobalt\r\nStrike Beacons. To guarantee execution on the beachhead host, multiple payloads were used. One of the Cobalt Strike\r\nBeacons was the same payload and command and control infrastructure as used in a prior case. The initial access method for\r\nthat case was IcedID, which shows that the threat actors utilize various initial access methods to get into environments and\r\naccomplish their goals.\r\nOnce access through Cobalt Strike was established, the threat actors immediately proceeded with domain enumeration via\r\nNltest, AdFind, BloodHound, and PowerSploit. Presence was then expanded on the beachhead by using a PowerShell loader\r\nto execute additional Beacons.\r\nWe observed the threat actors having technical issues. One example being with a Beacon unsuccessfully injecting into a\r\nprocess. It is unclear if this was an untrained actor, or there was a configuration issue.\r\nFifteen minutes after domain enumeration, we observed successful lateral movement to two endpoints on the network. Ten\r\nminutes after lateral movement, a PowerShell Cobalt Strike loader executed as a service on a server. Even though the\r\nexecution was not successful, the threat actors kept trying, a total of eight times, until it finally worked. Windows Defender\r\nreal-time monitoring was then disabled, the LSASS.exe process was dumped using SysInternals ProcDump, and privilege\r\nwas escalated to “SYSTEM” using named pipe impersonation. \r\nAlmost four hours after initial execution, the threat actors pivoted to a domain controller using domain admin credentials\r\nand executed a Cobalt Strike Beacon. Once they had domain controller access, ntdsutil was used to take a snapshot of\r\n“ntds.dit”, saved under “C:\\Perflogs\\1”, for offline password hash extraction. This is a technique that we don’t see very\r\noften, but effective nevertheless. \r\nThe threat actors then reran many of the same discovery techniques that were previously executed on the beachhead,\r\nincluding AdFind and BloodHound. This was the last observed hands-on-keyboard activity for awhile. \r\nTwo days later, the Cobalt Strike Beacon on the domain controller was once again actively engaged by the threat actors.\r\nPsexec, with two separate batch files, were used to execute Conti ransomware on all domain-joined Windows hosts. This\r\nfinal deployment was executed around 6:45 UTC on a Monday morning.\r\nFrom the point the threat actors returned, to ransom deployment, it was less than 30 minutes. This would give defenders\r\nlittle time to act if they had not identified and contained the activity from the first day of the Trickbot infection.\r\nServices\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 1 of 19\n\nWe offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt\r\nStrike, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here. Two of the Cobalt\r\nStrike servers used in this intrusion were added to our Threat Feed on 6/3/21 and the other one was added on 6/11/21\r\nWe also have artifacts available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape\r\npackages, and more, under our Security Researcher and Organization services.\r\nTimeline \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 2 of 19\n\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 3 of 19\n\nAnalysis and reporting completed by @_pete_0 and @kostastsale.\r\nReviewed by @RoxpinTeddy and 1 unnamed contributor.\r\nInitial Access \r\nThe initial access was achieved as a result of the user opening what appeared to be a benign workbook, a lure, requiring little\r\nuser interaction. \r\nThe workbook contained hidden and password protected worksheets, these were malicious. Module functions also indicated\r\ncode designed to obfuscate and hide true values and functions. \r\nThis document and the following DLL were noted as being associated to a BazarCall campaign by @ffforward.\r\nExecution \r\nFrom the xlsb document, the following execution chain occurs. Including copying the Windows CertUtil program and using\r\nthat to collect further Trickbot payloads.\r\nWe observed a second stage execution using regsvr32 to load a DLL from the user’s AppData\\Local\\Temp folder. \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 4 of 19\n\nAlmost immediately an outbound IPv4 address lookup was requested via HTTP. This is usually undertaken to identify the\r\ncompromised environment, and to facilitate C2. The user agent refers to Curl – and used again for another stage of the\r\nintrusion. \r\nOn the beachhead, multiple executables were saved in a temp directory and then pushed into memory by TrickBot process\r\n“wermgr.exe”. The executables were identified as Cobalt Strike and communicated over port 443 to C2 88.80.147[.]101. \r\nA PowerShell download cradle was then used to execute Cobalt Strike Beacon in memory: \r\nPrivilege Escalation \r\nNamed pipe impersonation was used to escalate to SYSTEM privileges – a common Cobalt Strike capability: \r\nWe observed several attempts by the threat actor trying to escalate to SYSTEM – ultimately succeeding, as evident in\r\nseveral new services running under the Local SYSTEM context: \r\nService creation events System Event ID 7045, coupled with unusual commands and service names are a strong indication\r\nof privilege escalation activity. RedCanary provided useful background on GetSystem capabilities of offensive security tools\r\nand methods of detection.\r\nDefense Evasion \r\nTrickbot made extensive use of process injection to hide in benign operating system processes. It first injected into\r\nwermgr.exe and then later into svchost.exe. \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 5 of 19\n\nAnother defense evasion technique employed by Cobalt Strike, was to disable Windows Defender. WMIC was used to\r\nremotely execute ‘def.bat’. The contents of ‘def.bat’: \r\nSet-MpPreference -DisableRealtimeMonitoring $true\r\nCredential Access\r\nTrickbot made use of esentutl to gather MSEdge history, webcache, and saved passwords using TrickBot’s “pwgrab”\r\nmodule.\r\nLSASS was dumped remotely using ProcDump. The execution took place from the beachhead using WMIC.  \r\n“Ntdsutil” was used to take a snapshot of ntds.dit and save it under “C:\\Perflogs\\1”. This technique is useful for offline\r\npassword hash extraction. This activity occurred twice. The same batch file, ‘12.bat’, was first executed in the context of\r\nSYSTEM; and secondly, in the context of a domain admin user. The contents of ‘12.bat’: \r\nntdsutil \"ac in ntds\" \"ifm\" \"cr fu C:\\Perflogs\\1\" q q\r\nDiscovery \r\nNet and Nltest commands were used to gather network and domain reconnaissance. During the intrusion, this activity was\r\nseen multiple times, on multiple hosts. \r\nOther discovery commands included: \r\nsysteminfo\r\nnltest /dclist:\u003chidden\u003e.local\r\nnltest /domain_trusts /all_trusts\r\nnet localgroup Administrators\r\nwhoami.exe\" /groups\r\nAdFind.exe and adf.bat were uploaded to the beachhead. adf.bat was used to execute:\r\nadfind.exe -f \"(objectcategory=person)\"\r\nadfind.exe -f \"(objectcategory=organizationalUnit)\"\r\nadfind.exe -f \"objectcategory=computer\"\r\nadfind.exe -gcb -sc trustdmp\r\nadfind.exe -f \"(objectcategory=group)\"\r\nadfind.exe -subnets -f (objectCategory=subnet)\r\nadfind.exe -sc trustdmp\r\nAdFind results were written to the following locations:\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 6 of 19\n\nC:\\Windows\\Temp\\adf\\ad_group.txt\r\nC:\\Windows\\Temp\\adf\\trustdmp.txt\r\nC:\\Windows\\Temp\\adf\\subnets.txt\r\nC:\\Windows\\Temp\\adf\\ad_ous.txt\r\nC:\\Windows\\Temp\\adf\\ad_computers.txt\r\nC:\\Windows\\Temp\\adf\\ad_users.txt\r\nOn the beachhead, Cobalt Strike executed BloodHound in memory. The results were saved in:\r\n\"C:\\Windows\\Temp\\Dogi\"\r\nBloodHound was later executed on the domain controller as well. Once again the results were stored in:\r\n\"C:\\Windows\\Temp\\Dogi\"\r\nPowerSploit was loaded into memory on the DC and the following functions were used:\r\nGet-NetSubnet\r\nGet-NetComputer –ping\r\nAn encoded PowerShell command was executed on the domain controller to enumerate all AD joined hosts and save the\r\nresults to:\r\n\"C:\\Users\\AllWindows.csv\"\r\nThe decoded PowerShell command: \r\nLateral Movement \r\nFrom the beachhead, WMIC was used to remotely execute ‘165.bat’ on two other hosts. \r\nMultiple failed attempts were observed prior to the successful execution of a PowerShell Cobalt Strike loader via a service\r\nwith “SYSTEM” privileges.\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 7 of 19\n\nDecoded Cobalt Strike shellcode, using Cyber Chef recipe: https://github.com/mattnotmax/cyberchef-recipes#recipe-28—\r\nde-obfuscation-of-cobalt-strike-beacon-using-conditional-jumps-to-obtain-shellcode\r\nCommand and Control\r\nMultiple C2 channels were established, some were persistent whilst others appeared to be single purpose – used for payload\r\nretrieval or fallback C2. Persistent C2 activity was Cobalt Strike. The beachhead had multiple C2 channels, two of which\r\nwere unique. We assess that the threat actors were ensuring a loss of a single source C2 wouldn’t result in losing all C2 to\r\nthe compromised environment. \r\nWe observed a payload being retrieved from a unique IPv4 address. An indication that the threat actors were keeping C2\r\nchannels independent from payload delivery/retrieval. \r\nUsing the Curl 7.74.0 user agent: \r\nAnalysis of this binary, shows C2 activity to the following: \r\nThe binary has an unusual PDB string that indicates obfuscation: \r\nThe two persistent C2 channels were analyzed to determine the Cobalt Strike configuration. Each C2 channel was\r\nconfigured as follows: \r\n149.248.52[.]187:443 \r\nOnlineworkercz[.]com \r\n(added to Threat Feed on 2021-06-11)\r\n{\r\n \"x86\": {\r\n \"sha1\": \"3f15a07cde64efda49670664af320603cf19e8a3\",\r\n \"sha256\": \"d4ab4ed720d674d4c8c35d48006724a9cf20396e020d5bd6c12fce8d44b8ed5a\",\r\n \"time\": 1623422265288,\r\n \"config\": {\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\WUAUCLT[.]exe\",\r\n \"Polling\": 55490,\r\n \"HTTP Method Path 2\": \"/media\",\r\n \"Port\": 443,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\WUAUCLT[.]exe\",\r\n \"Jitter\": 41,\r\n \"C2 Server\": \"onlineworkercz[.]com,/kj\",\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 8 of 19\n\n\"Method 2\": \"POST\",\r\n\"Beacon Type\": \"8 (HTTPS)\"\r\n },\r\n \"md5\": \"7d9cdea210ed05a1ff96d7ff3e576c11\"\r\n },\r\n \"x64\": {\r\n \"sha1\": \"1d50772d506f1def4bd0659b38cf4cb41df7802c\",\r\n \"sha256\": \"4f009eb4252cf29daa24d1d018815aa228f0c58aba126bff3fec4cd809cd9747\",\r\n \"time\": 1623422268773.6,\r\n \"config\": {\r\n \"Method 1\": \"GET\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\WUAUCLT[.]exe\",\r\n \"Polling\": 55490,\r\n \"HTTP Method Path 2\": \"/zh\",\r\n \"Port\": 443,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\WUAUCLT[.]exe\",\r\n \"Jitter\": 41,\r\n \"C2 Server\": \"onlineworkercz[.]com,/kj\",\r\n \"Method 2\": \"POST\",\r\n \"Beacon Type\": \"8 (HTTPS)\"\r\n },\r\n \"md5\": \"23135b04a470db515db11e1364e3fcd9\"\r\n }\r\n}\r\n88.80.147[.]101:80 \r\ngmbfrom[.]com \r\n(added to Threat Feed on 2021-06-03)\r\n{\r\n \"x86\": {\r\n \"sha1\": \"b785cae596f7b68376464e3e300fe0aff5bea845\",\r\n \"config\": {\r\n \"Method 2\": \"POST\",\r\n \"Port\": 80,\r\n \"Method 1\": \"GET\",\r\n \"Polling\": 5000,\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Jitter\": 10,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost[.]exe\",\r\n \"C2 Server\": \"88[.]80[.]147[.]101,/jquery-3[.]3[.]1[.]min[.]js\",\r\n \"HTTP Method Path 2\": \"/jquery-3[.]3[.]2[.]min[.]js\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost[.]exe\"\r\n },\r\n \"time\": 1622753064031.5,\r\n \"sha256\": \"dd0dd0b3e95ff62c45af048c0169e2631ac906da4a603cadbc7014cbcfb4e631\",\r\n \"md5\": \"56830f9cc0fe712e22921a7a5a0f1a53\"\r\n },\r\n \"x64\": {\r\n \"sha1\": \"11724324f8ec1940be87553ae2bd5f96b979a5d6\",\r\n \"config\": {\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 9 of 19\n\n\"Method 2\": \"POST\",\r\n\"Port\": 80,\r\n \"Method 1\": \"GET\",\r\n \"Polling\": 5000,\r\n \"Beacon Type\": \"0 (HTTP)\",\r\n \"Jitter\": 10,\r\n \"Spawn To x86\": \"%windir%\\\\syswow64\\\\dllhost[.]exe\",\r\n \"C2 Server\": \"88[.]80[.]147[.]101,/jquery-3[.]3[.]1[.]min[.]js\",\r\n \"HTTP Method Path 2\": \"/jquery-3[.]3[.]2[.]min[.]js\",\r\n \"Spawn To x64\": \"%windir%\\\\sysnative\\\\dllhost[.]exe\"\r\n },\r\n \"time\": 1622753068830.2,\r\n \"sha256\": \"36a5e68810f3823470fadd578efb75b5c2d1ffe9f4a16d5566f0722257cc51ce\",\r\n \"md5\": \"9dde7f14a076a5c3db8f4472b87fd11e\"\r\n }\r\n}\r\nTrickbot C2 Configuration:\r\nhttps://tria.ge/210610-vfygj4t1yn\r\nExfiltration \r\nAs part of the discovery stage, we observed data being exfiltrated. The data ranged from host discovery, running processes,\r\nand user accounts: \r\nEntire AD forest data – including usernames , DC configuration, and machine enumeration: \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 10 of 19\n\nImpact \r\nWhen, the threat actors returned two days later, the final payloads were staged by the threat actors on a domain controller in\r\nthe following location:\r\nC:\\share$\r\nTwo batch scripts were executed on the domain controller to automate ransomware deployment via PSExec. The first was\r\n“_COPY.bat”, to stage the CONTI ransomware payload on all domain-joined computers. The second was “_EXE.bat”, to\r\nexecute the staged CONTI payloads.  \r\nThe batch scripts ran as expected a set of copy commands and then executed the Conti payload using psexec.\r\nstart PsExec.exe -accepteula @C:\\share$\\comps1.txt -u \"domain\\User\" -p \"$PASSWORD\" cmd /c COPY \"\\\\DOMAINCONTRO\r\nstart PsExec.exe -accepteula -d @C:\\share$\\comps5.txt -u \"domain\\User\" -p \"$PASSWORD\" cmd /c \"C:\\windows\\temp\\\r\nFiles were then encrypted with the following extension [KCRAO]: \r\nA readme.txt file was created in each folder: \r\nThe content of readme.txt: \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 11 of 19\n\nIOCs \r\nNetwork \r\nCobalt Strike\r\n149.248.52.187|443\r\n88.80.147.101|80\r\nonlineworkercz.com\r\ngmbfrom.com\r\nTrickbot\r\n116.0.6.110\r\n123.231.149.123\r\n146.196.121.219\r\n177.221.39.161\r\n180.178.106.50\r\n85.248.1.126\r\n94.142.179.179\r\n94.142.179.77\r\n88.150.240.129\r\n46.209.140.220\r\n85.175.171.246\r\n89.37.1.2\r\n94.183.237.101\r\n103.101.104.229\r\n103.124.145.98\r\n114.7.240.222\r\n131.0.112.122\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 12 of 19\n\n123.231.149.122\r\n45.5.152.39\r\nFile \r\nnetscan.exe\r\nd1d579306a4ddf79a2e7827f1625581c\r\ne141562aab9268faa4aba10f58052a16b471988a\r\nbb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2\r\n12.bat\r\n935fa508d2c41914f4549d3805456444\r\nd40b5147e93204f03f0acfb3ad4cbb1b6f296a35\r\nf88a59e0c1aa48aa46680f28c9e09781d3f678567f38e3b1b1ba7d2437cd9e0c\r\ndef.bat\r\nabe4a11df74f6a2f07682174b5fb2876\r\ne928fc3d74b976c539d55f75318b5ba89dab3f11\r\n8a7399c37a27c46e1d61150cba71d76737233a971e0c15b07c47bcc97e710bbe\r\nprocdump.exe\r\n6a09bc6c19c4236c0bd8a01953371a29\r\nd1387f3c94464d81f1a64207315b13bf578fd10c\r\n05732e84de58a3cc142535431b3aa04efbe034cc96e837f93c360a6387d8faad\r\ntdr615.exe\r\na53f124fc4f07a26cc3497e665d0ec63\r\n3f0a4ed4c0c1c5e156e4d29ac4adf109faa82cd9\r\n12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5\r\ntdrE934.exe\r\nd803ea86227c541c54b11bb583b3910f\r\nf1b4faf4dfbf9ada3cc1496f9f9ad352314c2d59\r\n48f2e2a428ec58147a4ad7cc0f06b3cf7d2587ccd47bad2ea1382a8b9c20731c\r\nstart.bat\r\n4841c54b37729544fddcd014f09aa46e\r\nf7d62cdca59fc09d19fa8a465ea3b2611cf797e1\r\nf37b6c37e95f3fa27382f8b8e6256aa05e28703332bda54184e7223f82f02114\r\nGet-DataInfo.ps1\r\n16cde93b441e4363700dfbf34c687b08\r\n092ac6f8d072c4cf045e35a839d5bb8f1360f1ae\r\na290ce75c6c6b37af077b72dc9c2c347a2eede4fafa6551387fa8469539409c7\r\n62.dll\r\n9e7756f47e57a03e6eb5fe7d2505b870\r\nfb6339704bf11507038ddaf8f01324da5b71ee19\r\n8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab\r\ncancel_sub_VCP1234567890123.xlsx\r\n9e1ee4a42c381eabcf2cde38a1aae7c9\r\n015bb306d9e54001d433b3ac2e7212b864f54ae2\r\nfd71a2fcc0b5dd0fb0dbff257839b67749f2cadf30e2d3dae7f0e941d93d24d3\r\nDetections \r\nNetwork\r\nET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)\r\nET CNC Feodo Tracker Reported CnC Server group 1\r\nET CNC Feodo Tracker Reported CnC Server group 2\r\nET CNC Feodo Tracker Reported CnC Server group 3\r\nET CNC Feodo Tracker Reported CnC Server group 5\r\nET CNC Feodo Tracker Reported CnC Server group 8\r\nET CNC Feodo Tracker Reported CnC Server group 9\r\nET CNC Feodo Tracker Reported CnC Server group 19\r\nET CNC Feodo Tracker Reported CnC Server group 22\r\nET CNC Feodo Tracker Reported CnC Server group 23\r\nET CNC Feodo Tracker Reported CnC Server group 24\r\nET POLICY HTTP traffic on port 443 (POST)\r\nET POLICY PE EXE or DLL Windows file download HTTP\r\nET POLICY curl User-Agent Outbound\r\nET HUNTING SUSPICIOUS Dotted Quad Host MZ Response\r\nET INFO Executable Download from dotted-quad Host\r\nET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 13 of 19\n\nET MALWARE Trickbot Checkin Response\r\nET POLICY Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)\r\nET HUNTING Suspicious POST with Common Windows Process Names - Possible Process List Exfiltration\r\nET MALWARE Win32/Trickbot Data Exfiltration\r\nET POLICY IP Check wtfismyip.com\r\nGPL ATTACK_RESPONSE command completed\r\nET HUNTING Observed Suspicious SSL Cert (External IP Lookup - ident .me)\r\nET INFO Dotted Quad Host DLL Request\r\nET MALWARE Cobalt Strike Malleable C2 JQuery Custom Profile M3\r\nET POLICY Possible External IP Lookup ipinfo.io\r\nSigma \r\nAbused Debug Privilege by Arbitrary Parent Processes –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/sysmon_abusing_debug_pri\r\nAccessing WinAPI in PowerShell. Code Injection –\r\nhttps://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/powershell/powershell_code_injection.yml \r\nBad Opsec Powershell Code Artifacts –\r\nhttps://github.com/SigmaHQ/sigma/blob/5e35e387dd0dcdd564db7077da3470fbc070b975/rules/windows/powershell/powershell_bad_opsec_artifacts.y\r\nCobaltStrike Service Installations –\r\nhttps://github.com/SigmaHQ/sigma/blob/b26eece20d4c19b202185a6dce86aff147e92d0f/rules/windows/builtin/win_cobaltstrike_service_installs.yml  \r\nCreateMiniDump Hacktool –\r\nhttps://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_hktl_createminidump.ym\r\nDomain Trust Discovery –\r\nhttps://github.com/SigmaHQ/sigma/blob/99b0d32cec5746c8f9a79ddbbeb53391cef326ba/rules/windows/process_creation/win_trust_discovery.yml \r\nDridex Process Pattern –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_dridex.yml \r\nEmpire PowerShell Launch Parameters –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_empi\r\nExecution from Suspicious Folder –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_execution_path.y\r\nInvocation of Active Directory Diagnostic Tool (ntdsutil.exe) –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_ntdsutil.yml \r\nLocal Accounts Discovery –\r\nhttps://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_local_system_owner_ac\r\nLSASS Memory Dump –\r\nhttps://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_memdump.ym\r\nLSASS Memory Dump File Creation –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_lsass_memory_dump_file\r\nLSASS Memory Dumping –\r\nhttps://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_lsass_dump.yml \r\nMalicious Base64 Encoded PowerShell Keywords in Command Lines –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_hidd\r\nMalicious PowerShell Commandlets –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/powershell_malicious_commandl\r\nMimikatz Detection LSASS Access –\r\nhttps://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/deprecated/sysmon_mimikatz_detection_lsas\r\nNet.exe Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_net_execution.ym\r\nNon Interactive PowerShell –\r\nhttps://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_powers\r\nPowerShell as a Service in Registry –\r\nhttps://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/registry_event/sysmon_powershell_as_servic\r\nPowerShell Download from URL –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_powershell_download.\r\nPowerShell Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/8aabb58eca06cc44ae21ae4d091793d8c5ca6a23/rules/windows/image_load/sysmon_powershell_execution_m\r\nPowerShell Network Connections –\r\nhttps://github.com/SigmaHQ/sigma/blob/c91eda766032b14eee60412a14875f91664e670f/rules/windows/network_connection/sysmon_powershell_netw\r\nPowerShell Scripts Installed as Services –\r\nhttps://github.com/SigmaHQ/sigma/blob/a80c29a7c2e2e500a1a532db2a2a8bd69bd4a63d/rules/windows/builtin/win_powershell_script_installed_as_s\r\nPsexec Accepteula Condition –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_psexec_eula.yml \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 14 of 19\n\nPsExec Tool Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/ea430c8823803b9026a4e6e2ea7365dc5d96f385/rules/windows/other/win_tool_psexec.yml \r\nRare Service Installs –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/builtin/win_rare_service_installs.yml \r\nRegsvr32 Anomaly –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_regsvr32_anomal\r\nRundll32 Internet Connection –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_c\r\nSuspicious AdFind Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/30bee7204cc1b98a47635ed8e52f44fdf776c602/rules/windows/process_creation/win_susp_adfind.yml \r\nSuspicious Encoded PowerShell Command Line –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_enc_\r\nSuspicious In-Memory Module Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/5cf7078fb3d61f2c15b01d9426f07f9197dd3db1/rules/windows/process_access/sysmon_in_memory_assembly\r\nSuspicious PowerShell Parent Process –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_powershell_paren\r\nSuspicious Remote Thread Created –\r\nhttps://github.com/SigmaHQ/sigma/blob/e7d9f1b4279a235406b61cc9c16fde9d7ab5e3ba/rules/windows/create_remote_thread/sysmon_suspicious_rem\r\nSuspicious Use of Procdump –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_procdump.yml \r\nSuspicious Use of Procdump on LSASS –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_procdump_lsass.\r\nSuspicious WMI Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/5e701a2bcb353338854c8ab47de616fe7e0e56ff/rules/windows/process_creation/win_susp_wmi_execution.ym\r\nTrickbot Malware Recon Activity –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_malware_trickbot_reco\r\nUNC2452 Process Creation Patterns –\r\nhttps://github.com/SigmaHQ/sigma/blob/e7d9f1b4279a235406b61cc9c16fde9d7ab5e3ba/rules/windows/process_creation/win_apt_unc2452_cmds.ym\r\nUsage of Sysinternals Tools –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/registry_event/sysmon_sysinternals_eula_acc\r\nWhoami Execution –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_susp_whoami.yml \r\nWindows Network Enumeration –\r\nhttps://github.com/SigmaHQ/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_net_enum.yml \r\nWindows PowerShell Web Request –\r\nhttps://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/powershell/win_powershell_web_request.ym\r\nYara Rules \r\n/*\r\nYARA Rule Set\r\nAuthor: The DFIR Report\r\nDate: 2021-08-02\r\nIdentifier: 4641\r\nReference: https://thedfirreport.com\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule sig_4641_fQumH {\r\nmeta:\r\ndescription = \"4641 - file fQumH.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-02\"\r\nhash1 = \"3420a0f6f0f0cc06b537dc1395638be0bffa89d55d47ef716408309e65027f31\"\r\nstrings:\r\n$s1 = \"Usage: .system COMMAND\" fullword ascii\r\n$s2 = \"Usage: .log FILENAME\" fullword ascii\r\n$s3 = \"* If FILE begins with \\\"|\\\" then it is a command that generates the\" fullword ascii\r\n$s4 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s5 = \"Usage %s sub-command ?switches...?\" fullword ascii\r\n$s6 = \"attach debugger to process %d and press any key to continue.\" fullword ascii\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 15 of 19\n\n$s7 = \"%s:%d: expected %d columns but found %d - extras ignored\" fullword ascii\r\n$s8 = \"%s:%d: expected %d columns but found %d - filling the rest with NULL\" fullword ascii\r\n$s9 = \"Unknown option \\\"%s\\\" on \\\".dump\\\"\" fullword ascii\r\n$s10 = \"REPLACE INTO temp.sqlite_parameters(key,value)VALUES(%Q,%s);\" fullword ascii\r\n$s11 = \"error in %s %s%s%s: %s\" fullword ascii\r\n$s12 = \"UPDATE temp.sqlite_master SET sql = sqlite_rename_column(sql, type, name, %Q, %Q, %d, %Q, %d, 1) WHERE\r\n$s13 = \"BBBBBBBBBBBBBBBBBBBB\" wide /* reversed goodware string 'BBBBBBBBBBBBBBBBBBBB' */\r\n$s14 = \"UPDATE temp.sqlite_master SET sql = sqlite_rename_column(sql, type, name, %Q, %Q, %d, %Q, %d, 1) WHERE\r\n$s15 = \");CREATE TEMP TABLE [_shell$self](op,cmd,ans);\" fullword ascii\r\n$s16 = \"SqlExec\" fullword ascii\r\n$s17 = \"* If neither --csv or --ascii are used, the input mode is derived\" fullword ascii\r\n$s18 = \"Where sub-commands are:\" fullword ascii\r\n$s19 = \"max rootpage (%d) disagrees with header (%d)\" fullword ascii\r\n$s20 = \"-- Query %d --------------------------------\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 4000KB and\r\n( pe.imphash() == \"67f1f64a3db0d22bf48121a6cea1da22\" or 8 of them )\r\n}\r\nrule sig_4641_62 {\r\nmeta:\r\ndescription = \"4641 - file 62.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-02\"\r\nhash1 = \"8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab\"\r\nstrings:\r\n$s1 = \"Common causes completion include incomplete download and damaged media\" fullword ascii\r\n$s2 = \"An error occurred writing to the file\" fullword ascii\r\n$s3 = \"asks should be performed?\" fullword ascii\r\n$s4 = \"The waiting time for the end of the launch was exceeded for an unknown reason\" fullword ascii\r\n$s5 = \"Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click\r\n$s6 = \"HcA\u003cE3\" fullword ascii /* Goodware String - occured 1 times */\r\n$s7 = \"Select the Start Menu folder in which you would like Setup to create the programs shortcuts, then click\r\n$s8 = \"D$(9D$@u\" fullword ascii /* Goodware String - occured 1 times */\r\n$s9 = \"Please verify that the correct path and file name are given\" fullword ascii\r\n$s10 = \"Critical error\" fullword ascii\r\n$s11 = \"Please read this information carefully\" fullword ascii\r\n$s12 = \"Unknown error occurred for time: \" fullword ascii\r\n$s13 = \"E 3y4i\" fullword ascii\r\n$s14 = \"D$tOuo2\" fullword ascii\r\n$s15 = \"D$PH9D$8tXH\" fullword ascii\r\n$s16 = \"E$hik7\" fullword ascii\r\n$s17 = \"D$p]mjk\" fullword ascii\r\n$s18 = \"B):0~\\\"Z\" fullword ascii\r\n$s19 = \"Richo/\" fullword ascii\r\n$s20 = \"D$xJij\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 70KB and\r\n( pe.imphash() == \"42205b145650671fa4469a6321ccf8bf\" and pe.exports(\"StartW\") or 8 of them )\r\n}\r\nrule sig_4641_tdrE934 {\r\nmeta:\r\ndescription = \"4641 - file tdrE934.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-02\"\r\nhash1 = \"48f2e2a428ec58147a4ad7cc0f06b3cf7d2587ccd47bad2ea1382a8b9c20731c\"\r\nstrings:\r\n$s1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s2 = \"D:\\\\1W7w3cZ63gF\\\\wFIFSV\\\\YFU1GTi1\\\\i5G3cr\\\\Wb2f\\\\Cvezk3Oz\\\\2Zi9ir\\\\S76RW\\\\RE5kLijcf.pdb\" fullword ascii\r\n$s3 = \"https://sectigo.com/CPS0\" fullword ascii\r\n$s4 = \"2http://crl.comodoca.com/AAACertificateServices.crl04\" fullword ascii\r\n$s5 = \"?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v\" fullword ascii\r\n$s6 = \"3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%\" fullword ascii\r\n$s7 = \"ntdll.dlH\" fullword ascii\r\n$s8 = \"http://ocsp.sectigo.com0\" fullword ascii\r\n$s9 = \"2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s\" fullword ascii\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 16 of 19\n\n$s10 = \"2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#\" fullword ascii\r\n$s11 = \"tmnEt6XElyFyz2dg5EP4TMpAvGdGtork5EZcpw3eBwJQFABWlUZa5slcF6hqfGb2HgPed49gr2baBCLwRel8zM5cbMfsrOdS1yd6bM\r\n$s12 = \"ealagi@aol.com0\" fullword ascii\r\n$s13 = \"operator co_await\" fullword ascii\r\n$s14 = \"ZGetModuleHandle\" fullword ascii\r\n$s15 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s16 = \"RtlExitUserThrea`NtFlushInstruct\" fullword ascii\r\n$s17 = \"UAWAVAUATVWSH\" fullword ascii\r\n$s18 = \"AWAVAUATVWUSH\" fullword ascii\r\n$s19 = \"AWAVVWSH\" fullword ascii\r\n$s20 = \"UAWAVATVWSH\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 2000KB and\r\n( pe.imphash() == \"4f1ec786c25f2d49502ba19119ebfef6\" or 8 of them )\r\n}\r\nrule sig_4641_netscan {\r\nmeta:\r\ndescription = \"4641 - file netscan.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-02\"\r\nhash1 = \"bb574434925e26514b0daf56b45163e4c32b5fc52a1484854b315f40fd8ff8d2\"\r\nstrings:\r\n$s1 = \"netscan.exe\" fullword ascii\r\n$s2 = \"TFMREMOTEPOWERSHELL\" fullword wide\r\n$s3 = \"TFMREMOTEPOWERSHELLEDIT\" fullword wide\r\n$s4 = \"TFMBASEDIALOGREMOTEEDIT\" fullword wide\r\n$s5 = \"*http://crl4.digicert.com/assured-cs-g1.crl0L\" fullword ascii\r\n$s6 = \"*http://crl3.digicert.com/assured-cs-g1.crl00\" fullword ascii\r\n$s7 = \"TFMIGNOREADDRESS\" fullword wide\r\n$s8 = \"TREMOTECOMMONFORM\" fullword wide\r\n$s9 = \"TFMSTOPSCANDIALOG\" fullword wide\r\n$s10 = \"TFMBASEDIALOGSHUTDOWN\" fullword wide\r\n$s11 = \"TFMBASEDIALOG\" fullword wide\r\n$s12 = \"TFMOFFLINEDIALOG\" fullword wide\r\n$s13 = \"TFMLIVEDISPLAYLOG\" fullword wide\r\n$s14 = \"TFMHOSTPROPS\" fullword wide\r\n$s15 = \"GGG`BBB\" fullword ascii /* reversed goodware string 'BBB`GGG' */\r\n$s16 = \"SoftPerfect Network Scanner\" fullword wide\r\n$s17 = \"TUSERPROMPTFORM\" fullword wide\r\n$s18 = \"TFMREMOTESSH\" fullword wide\r\n$s19 = \"TFMREMOTEGROUPSEDIT\" fullword wide\r\n$s20 = \"TFMREMOTEWMI\" fullword wide\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 6000KB and\r\n( pe.imphash() == \"573e7039b3baff95751bded76795369e\" and ( pe.exports(\"__dbk_fcall_wrapper\") and pe.exports(\"d\r\n}\r\nrule sig_4641_tdr615 {\r\nmeta:\r\ndescription = \"4641 - file tdr615.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-08-02\"\r\nhash1 = \"12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5\"\r\nstrings:\r\n$s1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$s2 = \"I:\\\\RoDcnyLYN\\\\k1GP\\\\ap0pivKfOF\\\\odudwtm30XMz\\\\UnWdqN\\\\01\\\\7aXg1kTkp.pdb\" fullword ascii\r\n$s3 = \"https://sectigo.com/CPS0\" fullword ascii\r\n$s4 = \"2http://crl.comodoca.com/AAACertificateServices.crl04\" fullword ascii\r\n$s5 = \"?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v\" fullword ascii\r\n$s6 = \"3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%\" fullword ascii\r\n$s7 = \"http://ocsp.sectigo.com0\" fullword ascii\r\n$s8 = \"2http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s\" fullword ascii\r\n$s9 = \"2http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#\" fullword ascii\r\n$s10 = \"ealagi@aol.com0\" fullword ascii\r\n$s11 = \"operator co_await\" fullword ascii\r\n$s12 = \"GetModuleHandleRNtUnmapViewOfSe\" fullword ascii\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 17 of 19\n\n$s13 = \"+GetProcAddress\" fullword ascii\r\n$s14 = \"api-ms-win-appmodel-runtime-l1-1-2\" fullword wide\r\n$s15 = \"RtlExitUserThrebNtFlushInstruct\" fullword ascii\r\n$s16 = \"Sectigo Limited1$0\\\"\" fullword ascii\r\n$s17 = \"b\u003clog10\" fullword ascii\r\n$s18 = \"D*\u003cW -\" fullword ascii\r\n$s19 = \"WINDOWSPROJECT1\" fullword wide\r\n$s20 = \"WindowsProject1\" fullword wide\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 10000KB and\r\n( pe.imphash() == \"555560b7871e0ba802f2f6fbf05d9bfa\" or 8 of them )\r\n}\r\nrule CS_DLL {\r\nmeta:\r\ndescription = \"62.dll\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-07-07\"\r\nhash1 = \"8b9d605b826258e07e63687d1cefb078008e1a9c48c34bc131d7781b142c84ab\"\r\nstrings:\r\n$s1 = \"Common causes completion include incomplete download and damaged media\" fullword ascii\r\n$s2 = \"StartW\" fullword ascii\r\n$s4 = \".rdata$zzzdbg\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 70KB and ( pe.imphash() == \"42205b145650671fa4469a6321ccf8bf\" )\r\nor (all of them)\r\n}\r\nrule tdr615_exe {\r\nmeta:\r\ndescription = \"Cobalt Strike on beachhead: tdr615.exe\"\r\nauthor = \"The DFIR Report\"\r\nreference = \"https://thedfirreport.com\"\r\ndate = \"2021-07-07\"\r\nhash1 = \"12761d7a186ff14dc55dd4f59c4e3582423928f74d8741e7ec9f761f44f369e5\"\r\nstrings:\r\n$a1 = \"AppPolicyGetProcessTerminationMethod\" fullword ascii\r\n$a2 = \"I:\\\\RoDcnyLYN\\\\k1GP\\\\ap0pivKfOF\\\\odudwtm30XMz\\\\UnWdqN\\\\01\\\\7aXg1kTkp.pdb\" fullword ascii\r\n$b1 = \"ealagi@aol.com0\" fullword ascii\r\n$b2 = \"operator co_await\" fullword ascii\r\n$b3 = \"GetModuleHandleRNtUnmapViewOfSe\" fullword ascii\r\n$b4 = \"RtlExitUserThrebNtFlushInstruct\" fullword ascii\r\n$c1 = \"Jersey City1\" fullword ascii\r\n$c2 = \"Mariborska cesta 971\" fullword ascii\r\ncondition:\r\nuint16(0) == 0x5a4d and filesize \u003c 10000KB and\r\nany of ($a* ) and 2 of ($b* ) and any of ($c* )\r\n}\r\nMITRE\r\nPhishing: Spearphishing Attachment – T1566.001 \r\nSigned Binary Proxy Execution: Regsvr32 – T1218.010 \r\nImpair Defenses: Disable or Modify Tools – T1562.001 \r\nDomain Trust Discovery – T1482 \r\nOS Credential Dumping: LSASS Memory – T1003.001 \r\nSystem Owner/User Discovery – T1033 \r\nCommand and Scripting Interpreter: PowerShell – T1059.001 \r\nData Staged: Local Data Staging – T1074.001 \r\nSystem Information Discovery – T1082 \r\nAccount Discovery: Local Account – T1087.001 \r\nAccount Discovery: Domain Account – T1087.002 \r\nOS Credential Dumping: NTDS – T1003.003 \r\nWindows Management Instrumentation – T1047 \r\nBrowser Bookmark Discovery – T1217 \r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 18 of 19\n\nData Encrypted for Impact – T1486 \r\nRemote Services: SMB/Windows Admin Shares – T1021.002 \r\nMITRE Software\r\nAdFind – S0552 \r\nBloodHound – S0521 \r\nCobalt Strike – S0154 \r\nSysteminfo – S0096 \r\nNet – S0039 \r\nNltest – S0359 \r\nEsentutl – S0404 \r\nPsExec – S0029 \r\nCmd – S0106 \r\nReferences \r\nTrickBot Malware Alert (AA21-076A), US CERT – https://us-cert.cisa.gov/ncas/alerts/aa21-076a \r\nAdvisory: Trickbot, NCSC – https://www.ncsc.gov.uk/news/trickbot-advisory \r\nTrickbot Still Alive and Well, The DFIR Report – https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ \r\nHunting for GetSystem in offensive security tools, RedCanary – https://redcanary.com/blog/getsystem-offsec/ \r\nTrickBot Banking Trojan, ThreatPost – https://threatpost.com/trickbot-banking-trojan-module/167521/ \r\nInternal case #4641\r\nSource: https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nhttps://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/"
	],
	"report_names": [
		"bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike"
	],
	"threat_actors": [],
	"ts_created_at": 1775791204,
	"ts_updated_at": 1775826743,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a0200b1812cdf7beb84e17c8a6a056f1799c38af.pdf",
		"text": "https://archive.orkl.eu/a0200b1812cdf7beb84e17c8a6a056f1799c38af.txt",
		"img": "https://archive.orkl.eu/a0200b1812cdf7beb84e17c8a6a056f1799c38af.jpg"
	}
}