{ "id": "67ee6681-2ae3-4378-81c9-2f591aaecc26", "created_at": "2026-04-06T00:21:01.691363Z", "updated_at": "2026-04-10T03:36:11.196863Z", "deleted_at": null, "sha1_hash": "abcd478370fd912510b4491a27b2163e0d446a97", "title": "Highway to Conti: Analysis of Bazarloader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8673667, "plain_text": "Highway to Conti: Analysis of Bazarloader\r\nBy Eli Salem\r\nPublished: 2022-02-23 · Archived: 2026-04-05 23:36:17 UTC\r\n15 min read\r\nFeb 16, 2022\r\nPress enter or click to view image in full size\r\nAs we look back to summarize the year 2021 we observe that the biggest threat in the cybersecurity landscape is still\r\nransomware. A large number of ransomware incidents have occurred around the world, extorting hundreds of millions\r\noverall from victims across the globe.\r\nAs the sun went down on some past major players in the ransomware ecosystem (such as REvil), the sun definitely shone on\r\nothers, specifically the most[1] prolific group in 2021: Conti.\r\nThe list of Conti’s victims is definitely long and vary, with some high profile names such as the recent incidents of the bank\r\nof Indonesia[2], and Delta Electronics[3].\r\nAlthough each case has its own story to tell, it is reported that multiple incidents of attacks that ended up with Conti\r\nransomware started or had involved BazarBackdoor or BazarLoader malware[4][5].\r\nIn this article, I will present an analysis of the BazarLoader malware, its defensive measures to hinder security researchers,\r\nand other important core functionalities.\r\nBazarloader Background\r\nBazarLoader has been first observed and reported in April 2020[6] and was associated and believed to be developed by a\r\ngroup called ITG23 or TrickBot gang[7].\r\nThe loader itself is known to be distributed by phishing campaigns that use multiple LoLbins for deployment such as\r\nPowershell, Mshta[8], ISO files[9], and eventually the involvement of Rundll32 or Regsvr32.\r\nThe Dropper\r\nSHA1 hash: 94114c925eff56b33aed465fce335906f31ae1b5\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 1 of 22\n\nBazarloader dropper in PEstudio[23]\r\nSimilar to many malware that comes from the e-crime scene, Bazarloader comes packed inside an initial dropper. The\r\ndropper itself is a 64-bit .dll file with a high entropy of over 6.8.\r\nWhen we open the dropper in IDA, we immediately notice a large olive color in the navigation bar, in many cases\r\n(especially with packed malware) this can be a big clue for obfuscated content yet to be decrypted.\r\nAs we investigate the navigation bar, we see two interesting code blobs right at the beginning of the .rdata section, the first\r\none is quite small, but the second is very big with a size of 156256 bytes. For convenience, we’ll convert them both to a byte\r\narray, to do so, do the following:\r\n1) Right-click on the code blob name\r\n2) Click Byte\r\n3) Right-click on the code blob again\r\n4) Click Array\r\n5) For convenience, change the name of these blobs\r\nBig \u0026 small chunks of data\r\nNext, we’ll want to inspect where these bytes are being used by seeing their cross-reference. By tracing the usage of the big\r\nblob, we can see that it is entering to a function named “sub_1800F110” that also gets a value of 0x26260 which is 156256\r\nin decimal, and as we know, this is the exact size of the big blob.\r\nThis function objective will be:\r\n1. Allocate a new buffer using VirtualAlloc\r\n2. Use the small blob\r\n3. Partially decrypt the buffer into the newly allocated memory\r\n4. Once the function is finished, it will return the allocated buffer to a higher function named “sub_18000FC10”.\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 2 of 22\n\nFirst decryption\r\nIn terms of decrypted data, in runtime, it will look like this:\r\nFirst decryption output\r\nNext, the partially decrypted buffer will be sent to another function called “sub_1800015D0”. This function objective will\r\nbe:\r\n1. Perform further decryption using XOR loop with a designated key\r\n2. Allocate new memory\r\n3. Perform another decryption which will result in the final bazarloader payload, and copy it into the new buffer\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 3 of 22\n\nSecond decryption\r\nIn the end, after these two iterations of data manipulation, the two phases will look like this\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 4 of 22\n\nFinal output\r\nNote: If we wanted to avoid this way, the easy way to unpack this dropper manually will be:\r\n1. Set a breakpoint on VirtualAlloc\r\n2. On the second instance, set a hardware breakpoint on the allocated buffer\r\n3. Hit Run until you see the final clean payload\r\nBazarLoader\r\nPress enter or click to view image in full size\r\nUnpacked Bazarloader\r\nThe unpacked file (Bazarloader payload) is a 64-bit DLL file with a much lower entropy of 3.96 compared to its dropper. In\r\naddition, the malware has 8 export functions, however, all of them are empty except the function “EproyAklW”.\r\nAlso, we notice the internal name of the malware called “l_dll_rndll_eaw_64_p2_g8_v221_11_01_22_logs_no.dll”.\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 5 of 22\n\nExport functions in PE-bear[22]\r\nAlso, the malware’s import function table is empty, which indicates that the API calls will be resolved dynamically by some\r\nmechanism. In addition, in terms of size, Bazarloader is small\\mid size malware.\r\nPress enter or click to view image in full size\r\nEmpty Import table\r\nMy investigation will be separated into two parts:\r\n1. Bazarloader defenses: Any method the malware used to slow down researchers and how to overcome them.\r\n2. Bazarloader operative mechanism: Basically how the malware works.\r\nBazarLoader defenses 1: API Hashing\r\nRight as we enter the export function “EproyAklW” we observe the first defense mechanism of Bazarloader, its dynamic\r\nAPI hashing resolving function (which in our case is called sub_1800AC7C).\r\nFor those who are not familiar with the term API hashing:\r\n“API hashing is simply an arbitrary function/algorithm, that calculates a hash value for a given text string[10].”\r\nIn simple words, the function gets as input some hash to be computed and eventually output a pointer to an API call. Next,\r\nusually, we’ll see this pointer being used in form of a function.\r\nPress enter or click to view image in full size\r\nAPI hashing function\r\nTo confirm our hypothesis, we can always debug the function dynamically and step over it. once we do it we’ll notice two\r\nthings:\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 6 of 22\n\n1. The register EAX will hold the address of the resolved API call (in this case it is RtlExitUserProcess (which is the\r\nkernel-mode equivalent to ExitProcess).\r\n2. Three instructions later the register EAX will be executed via call, which means RtlExitUserProcess will be\r\nexecuted.\r\nPress enter or click to view image in full size\r\nResolving API dynamically\r\nAs can be assumed, the main advantages of this technique are:\r\n1. The malware is more stealthy because as we said, its import table is empty, thus making the analysis more\r\nchallenging and slow.\r\n2. This also creates some challenges for automated security products that rely on these API calls to be present in order\r\nto determine the file’s nature.\r\nThis technique is very common in the malware world and can be found in other malware such as Emotet, Qbot, Trickbot,\r\nConti ransomware, Lockbit, and so on.\r\nSmall Tip: In many cases, the API hashing function will result in the address of the requested API call, therefore, in many\r\ncases, they will use the Process environment block (PEB) for the part of actually resolving. Searching for the usage of the\r\nPEB in the code is a good way to smell for these resolving functions.\r\nAs security researchers, the major issue with API hashing functions is that they are being executed many times, basically\r\neach time the malware wants to use a specific function. In Bazarloader’s case, we can see “sub_18000AC7C” being used\r\n232 times. Obviously going to each function and resolving it dynamically is time-consuming and this process needs to be\r\nscaled.\r\nMultiple times of resolving API\r\nIn order to speed things up, we’ll use one of my favorite tools, and a GO-TO when it comes to API hashing: HashDB[11]\r\n[17][18].\r\nThe HashDB plugin is a community-sourced library of hashing algorithms used in malware. The plugin allows reverse\r\nengineers to test specific hashes against the algorithms that HasDB has.\r\nOnce having HashDB, do the following:\r\n1. Right-click on the hash\r\n2. Click on HashDB Hunt Algorithm\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 7 of 22\n\nHashDB Hung Algorithm\r\nAfter a couple of seconds, we got a popup that tells us that the algorithm found is “rol7_xor”, then, click ok.\r\nHashDB found algorithm\r\nNow, do the following:\r\n1. Right-click again on the hash\r\n2. Choose HashDB Lookup\r\nThen, we’ll get another popup that will tell us that the hash is translated to the API call ExitProcess, similarly to what we\r\nsaw during our dynamic analysis.\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 8 of 22\n\nHashDB resolving API\r\nOnce the function has been decrypted, an Enum will be created, this Enum should be implied to all of the hashes. to do so,\r\ndo the following:\r\n1. Right-click on the function name\r\n2. Click Set call type\r\n3. Change the type of the third argument to be the Enum name\r\nPress enter or click to view image in full size\r\nHashDB enum\r\nBazarLoader defenses 2: Stack strings (sort of)\r\nUsually, malware authors like to hide indicative or important strings in embedded obfuscated code blobs inside the PE itself,\r\na good example will be Qbot[12] which stores strings related to commands, process names, network activity, inside a code\r\nblob.\r\nHowever, when we inspect this Bazarloader sample, we do not find any suspicious code blobs that could indicate hidden\r\nobfuscated data.\r\nThe reason for that is that Bazarloder store those strings in multiple small hashes that are combined during runtime and\r\nxored with a different key.\r\nStack strings (stacked hashes)\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 9 of 22\n\nThis behavior happened hundred of times during the malware operation, a good way to track them will be to use the plugin\r\nFLARE CAPA[13].\r\nIn order to decrypt them statically, all you need to do is the following:\r\n1. Click on the hash\r\n2. shift + E\r\n3. Copy the first 4 bytes to Cyberchef\r\n4. Do it for each hash and merge them\r\nPress enter or click to view image in full size\r\nDecrypting hashes\r\n5. Add from hex to the recipe\r\n6. Add XOR to the recipe\r\n7. In the xor key take the last 4 bytes (basically similar to the hashes)\r\nPress enter or click to view image in full size\r\nDecrypting hashes\r\nBazarLoader operative mechanisms\r\nAs mentioned, this section will be about anything related to the malware activity itself and commands.\r\nNetwork Activity\r\nFirst, like much other malware, Bazarloader will check the connectivity and try to access multiple legitimate domains.\r\nSome of these domains are traditional for malware connectivity checks like google.com, however, some of them are more\r\ninteresting such as the white house website.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 10 of 22\n\nLegitimate domains\r\nNext, we observe indicative a command that instructs the malware to “download and run backdoor”, which could potentially\r\nbe the BazarBackdoor.\r\ndownload and run backdoor command\r\nAs for network capabilities, the malware will have two ways to operate and it will depend on:\r\n1. Use hardcoded IP \\ Emercoin\r\n2. Use a generated Emercoin\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 11 of 22\n\nHardcoded vs generate\r\nFirst method\r\nGet Eli Salem’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nIf the malware will choose to use the hardcoded way, it will first use the following hardcoded IP addresses and Emercoin\r\ndomains\r\n185.99.133[.]67\r\n188.127[.]249\r\n5.255.103[.]36\r\n91.201.202[.]138\r\nreddew28c[.]bazar\r\nbluehail[.]bazar\r\nwhitestorm9p[.]bazar\r\nNext, it will go to a function that will use WinINet functions to communicate externally\r\nPress enter or click to view image in full size\r\nWinINet network function\r\nThis network function will return the status code of the network operation as an output using the API HttpQueryInfo. In\r\nother words, if the function is successful and works properly, it will return 200.\r\nWinINet function returned value\r\nNext, the caller function will check whether the status code is indeed 200, if yes, it will call a function that contains the code\r\ninjection core function.\r\nChecking status code\r\nSecond method: DGA\r\nAs told, bazarloader has an option to generate an Emercoin. In this option, Bazarloader will use its domain name generator\r\n(DGA) capabilities to generate a random .bazar (which is related to Emercoin) domain.\r\nAfter generating the name, the malware will add the string “.bazar” to it as a suffix.\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 12 of 22\n\nPress enter or click to view image in full size\r\nBazarloader DGA\r\nThen, the malware will have the ability to communicate externally using the WINSOCK functions. Unlike the WinINet\r\nfunctions where the majority of the functions are resolved directly by the API hashing function, in the case of the\r\nWINSOCK function the malware will:\r\n1. Decrypt their name which\r\n2. Use the API hashing function to resolve GetProcAddress\r\n3. Resolve the requested function using GetProcAddress\r\nWINSOCK functions resolved\r\nThen, the malware will use these functions to communicate\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 13 of 22\n\nsendto \u0026 recvfrom\r\nCode injection\r\nThe malware attempt to inject itself into one of the following processes:\r\n1. Svchost.exe\r\n2. cmd.exe\r\n3. explorer.exe\r\nThen, it will go to a function that iterates through the running processes using the aforementioned API calls of\r\nCreateToolhelp32Snapshot[14] and ProcessFind32First\\Next[15]. One found it will retrieve the process ID.\r\nProcesses to be injected\r\nProcesses to be injected\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 14 of 22\n\nEventually, the process ID of the chosen process will be sent to another function that will deal with the code injection itself.\r\nCode injection process gets processID as an argument\r\nIn the code injection function, we can see the injection technique itself which appears to be Process Hollowing.\r\nFirst, a process is created with the creation flag of 0x8000014. This number is actually masking the following flags:\r\n1. 0x08000000: CREATE_NO_WINDOW\r\n2. 0x00000010: CREATE_NEW_CONSOLE\r\n3. 0x00000004: CREATE_SUSPENDED\r\nPress enter or click to view image in full size\r\nProcess created suspended\r\nNext, a new virtual memory will be allocated in the remote process followed by the traditional API calls we would expect to\r\nsee in the Process Hollowing techniques.\r\nPress enter or click to view image in full size\r\nProcess hollowing\r\nLooking for security products\r\nMore activities from Bazarloader are related to security products. Bazarloader will use the API calls\r\nCreateToolHelp32Snapshot and Process32First to create a snapshot of the running processes and iterate on them to search\r\nAV products-related processes.\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 15 of 22\n\nSearching for security products\r\nAlso, the malware will use the traditional stack strings to search for the following processes:\r\n1. Norton Security\r\n2. nsWscSvc- Windows Security service\r\n3. ISSRV- Microsoft network real-time inspection service\r\nPress enter or click to view image in full size\r\nSearching for security products\r\nIn addition, as already seen from the first image, Bazarloader will search for the names of the following security products:\r\n1. Avast\r\n2. BitDefender\r\n3. NortonSecurity\r\n4. WindowsDefender\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 16 of 22\n\nSearching for security products\r\nRegistry operations\r\nBazarloader has a designated function that will create a process in order to perform specific commands, in most cases, this\r\nfunction occurs when a cmd command that manipulates the registry happens.\r\nPersistence\r\nBazarloader will use the cmd process in order to set a persistence into the traditional\r\nMicrosoft\\Windows\\CurrentVersion\\Run path.\r\nPress enter or click to view image in full size\r\nCreating persistence\r\nAdditional commands are also include\r\ncmd /c\r\ncmd /c choice /c /y /d y /t 10\r\ncmd /c choice /c /y /d y /t 10 \u0026 start\r\ncmd /c echo\r\ncmd.exe /c reg.exe query HKCU\\Software\\\r\ncmd.exe /c reg.exe query HKCU\\Software\\ /t REG_BINARY /d\r\ncmd.exe /c reg.exe query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths\r\nCryptography\r\nRight after the WinINet network function ends, another function that is related to the malware’s cryptography starts. The\r\nfunction also shares an argument with the network function.\r\nPress enter or click to view image in full size\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 17 of 22\n\nCryptography function intro\r\nThe cryptography function consists of multiple functions that each does several tasks. In order to not get into each one in\r\ndetail, I will only demonstrate their important activities.\r\nOne of the functions is responsible to resolve the Crypt32.dll and Bcrypt.dll modules in the following way:\r\n1. Decrypt the names of the modules\r\n2. Use the dynamic API resolving function to resolve LoadLibrary\r\n3. Execute LoadLibrary with the decrypted module name as its argument\r\n4. Assign the handle for the DLL to an IDA variable for later usage\r\nResolving Bcrypt.dll\r\nThen, it will do the same for the functions themselves, but with GetProcAddress. When it comes solely to Bcrypt, 14\r\ndifferent functions will be resolved and assigned to variables.\r\nPress enter or click to view image in full size\r\nBcrypt variables\r\nAfter the resolving part ends, Bazarloader will use the functions to ignite its cryptography session. The algorithm that will be\r\nused will be RSA, this can be seen as plain text in the ALGID parameter of the function BCryptOpenAlgorithmProvider[19].\r\nBCryptOpenAlgorithmProvider RSA\r\nThe malware then continues with creating the session with the usage of the rest of the functions, including generating the\r\nkey to decrypt data from the BcryptImportKeyPair. Eventually, it will return to the base caller function (dubbed above as\r\n“start_crypt”).\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 18 of 22\n\nin the end, the malware will use the function BcryptDecrypt[20] to decrypt requested data.\r\nPress enter or click to view image in full size\r\nFinal Bcrypt decryption\r\nDesignated strings and MD5 activity\r\nOne of the interesting activities of Bazarloader is the usage of specifically designated strings and using them as arguments in\r\nother parts of its activity.\r\nThese strings are manipulated several times before being used, thus making the process of observing their usage a little bit\r\ntricky. In order to show the general idea, I will demonstrate only one case.\r\nSmall Tip: In order to track the activity dynamically and align it with static analysis addresses, disabling the ASLR (with\r\ntools such as CFF Explorer) can be handy.\r\nThe entire activity will occur in one function that will deal with decrypting hardcoded strings using the aforementioned\r\nstack-strings and xor decryption method. However, as can be seen, before starting decrypting the strings, a different function\r\nnamed “sub_180005600” occurs.\r\nDesignated strings function\r\nThe objective of this function is relatively simple, creating an additional key for further decryption activities. In general, this\r\nwill happen in the following way:\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 19 of 22\n\n1. First, with the use of two API calls SHGetSpecialFolderPathA, GetFileAttributesExA, and additional functions, the\r\nmalware will generate some sort of digits array.\r\nPress enter or click to view image in full size\r\nGenerating digits\r\n2. The digit array will go to another function that will deal with MD5 hashing as one of its arguments.\r\nMD5 activity\r\nIf we inspect dynamically, we could see that after passing the MD5Final function, the digits will disappear and an MD5 hash\r\nwill be produced.\r\nPress enter or click to view image in full size\r\nBefore MD5Final\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 20 of 22\n\nAfter MD5Final\r\nAfter the MD5 hash is created, the function will return to the caller function and the events will continue as the following:\r\n1. The hardcoded stack strings will be decrypted and combined into one string\r\n2. The combined string and the md5 hash key will be sent to another function named “sub_180004410” that will deal\r\nwith further manipulation on the string.\r\nPress enter or click to view image in full size\r\nDesignated strings function workflow\r\nInside sub_180004410, the string will go through more manipulations, one of them is a loop that will XOR between the key\r\n(the MD5 hash) and the combined string.\r\nPress enter or click to view image in full size\r\nXOR loop between the key and combined string\r\nNext, several other manipulations will occur on the xored output until eventually a new string is generated.\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 21 of 22\n\nFinal string\r\nEventually, this process will happen to every string in the list of these designated strings, and as said, they will be used as an\r\nargument in further malware activity.\r\nFor example, the string from the image above will be used as the Mutex name when the malware executed\r\nCreateMutexA[21].\r\nPress enter or click to view image in full size\r\nFinal string being used as Mutex name\r\nReferences\r\n[1] https://twitter.com/ido_cohen2/status/1477620045794758658\r\n[2] https://www.bitdefender.com/blog/hotforsecurity/bank-indonesia-confirms-conti-ransomware-attack-stolen-files-leaked/\r\n[3] https://www.bleepingcomputer.com/news/security/taiwanese-apple-and-tesla-contractor-hit-by-conti-ransomware/\r\n[4] https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\n[5] https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/\r\n[6] https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/\r\n[7] https://www.cybereason.com/blog/threat-analysis-report-from-shatak-emails-to-the-conti-ransomware\r\n[8] https://twitter.com/executemalware/status/1485799287615279109\r\n[9] https://twitter.com/Max_Mal_/status/1483571535491260417\r\n[10] https://www.ired.team/offensive-security/defense-evasion/windows-api-hashing-in-malware#:~:text=API%20hashing%20is%20simply%20an,for%20a%20given%20text%20string.\u0026text=Set%20a%20variable%20%24hash%20to%20a\r\n[11] https://github.com/OALabs/hashdb\r\n[12] https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html\r\n[13] https://github.com/mandiant/capa\r\n[14] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot\r\n[15] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32first\r\n[16] https://docs.microsoft.com/en-us/windows/win32/api/sysinfoapi/nf-sysinfoapi-gettickcount\r\n[17] https://youtu.be/3FPY4cLaELU\r\n[18] https://aaqeel01.wordpress.com/2021/10/18/zloader-reversing/\r\n[19] https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptopenalgorithmprovider\r\n[20] https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptdecrypt\r\n[21] https://docs.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-createmutexa\r\n[22] https://hshrzd.wordpress.com/pe-bear/#:~:text=PE%2Dbear%20is%20a%20freeware,works%20for%20windows%20and%20Linux).\r\n[23] https://www.winitor.com/\r\nSource: https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d\r\nPage 22 of 22\n\nhttps://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d \nSecond decryption \nIn the end, after these two iterations of data manipulation, the two phases will look like this\n Page 4 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://elis531989.medium.com/highway-to-conti-analysis-of-bazarloader-26368765689d" ], "report_names": [ "highway-to-conti-analysis-of-bazarloader-26368765689d" ], "threat_actors": [ { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434861, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/abcd478370fd912510b4491a27b2163e0d446a97.pdf", "text": "https://archive.orkl.eu/abcd478370fd912510b4491a27b2163e0d446a97.txt", "img": "https://archive.orkl.eu/abcd478370fd912510b4491a27b2163e0d446a97.jpg" } }