← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
BazarLoader and the Conti Leaks
WHITE AlienVault 2021-10-04 Modified: 2021-11-03
41
IOCs
MEDIUM VOLUME
In July, Thedfirreport observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while looking for interesting data to exfiltrate. Their preferred method of operation was through GUI applications such as RDP and AnyDesk. Historically, BazarLoader was used to deploy Ryuk, as they reported on many occasions. In one of their latest reports, they saw BazarLoader result in the deployment of Conti ransomware.
cobalt strikecontiryukbazarloaderpowersploitphishing
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Cobalt Strike Conti BazarLoader
Indicators of Compromise (41)
All YARA FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain
TYPEINDICATORDESCRIPTIONCREATED
YARA 560fad4d886bff0aec85d4c5cedd3ea0c40b6f78 files - AdFind.exe 2021-10-04
YARA 427e79cda16cf9021f70db61b8170ffc2fe7a93e files - NtdsAudit.exe 2021-10-04
YARA 2eb32e4b688d3f3ff3466ab99ff9df60d35d7125 files - 21.exe 2021-10-04
YARA 36d4f1b349870d8a73ef924d9454f867a246f19b files - 21.dll 2021-10-04
YARA 973ee8209bc8c8bcfeb504506f0cf4c4083f21f6 files - AnyDesk.exe 2021-10-04
FileHash-MD5 16eb5134181c482824cd5814c0efd636 2021-10-04
FileHash-MD5 17b461a082950fc6332228572138b80c 2021-10-04
FileHash-MD5 1e788b5d1ff62688cfe5d2ef7832712a 2021-10-04
FileHash-MD5 1fd930064b81e7c96eedb985ca2a0d97 MD5 of fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b 2021-10-04
FileHash-MD5 742844254840eff409535494ae3ec338 2021-10-04
FileHash-MD5 9b02dd2a1a15e94922be3f85129083ac MD5 of b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 2021-10-04
FileHash-MD5 9ea3a4b4bf64aeaefb60ada634f7fb43 2021-10-04
FileHash-MD5 a0e9f5d64349fb13191bc781f81f42e1 2021-10-04
FileHash-MD5 ae4edc6faf64d08308082ad26be60767 2021-10-04
FileHash-MD5 c91bde19008eefabce276152ccd51457 2021-10-04
FileHash-MD5 d2bb4366b7018e0ed3e7f752fc312371 2021-10-04
FileHash-MD5 d46c3b4e37ba8b21a79a63fbf69c6411 2021-10-04
FileHash-MD5 d6b773f8b88be82d4de015edbf0cc2fa 2021-10-04
FileHash-MD5 e35df3e00ca4ef31d42b34bebaa2f86e 2021-10-04
FileHash-MD5 fede0607e830aa1add8deda3d59d9a77 2021-10-04
FileHash-SHA1 08ca62cc8860f4660e945805d0dd615ce75258c1 2021-10-04
FileHash-SHA1 0dfc5ef1947a29227d994a44f33c1b0fe12598ea 2021-10-04
FileHash-SHA1 2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a SHA1 of b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 2021-10-04
FileHash-SHA1 39f7e3f5435cdfacaa89aa5ef2d4e092bde4494e SHA1 of fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b 2021-10-04
FileHash-SHA1 3e12312e43f4b84129023057862ee3934ca24c6d 2021-10-04
FileHash-SHA1 46f33bb1c629cedb52fc5d7e46525ac5ccb13aaa 2021-10-04
FileHash-SHA1 b1bfe2231dfa1fa4a46a50b4a6c67df34019e68a 2021-10-04
FileHash-SHA1 d4d88b60150088041fec4951335128031441bc5a 2021-10-04
FileHash-SHA256 01b164f74bde4eb7c7da8c6cd707f23ce1923da49a3deb36aea5cd6e3030c0d6 2021-10-04
FileHash-SHA256 43ac1418825ccbe33ae34c64fd036f23ef066073e4fefa2a410b53922cfc815f 2021-10-04
FileHash-SHA256 43ecc44566a599a1f5d5b5063f27fd18b34e0dc67e053570e9ad944ad3f16024 2021-10-04
FileHash-SHA256 8c7e32178cf437f4fd3d7f706066831fce2cd9bc7e2050a3cefebab05952266d 2021-10-04
FileHash-SHA256 96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98 2021-10-04
FileHash-SHA256 972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39 2021-10-04
FileHash-SHA256 9eab01396985ac8f5e09b74b527279a972471f4b97b94e0a76d7563cf27f4d57 2021-10-04
FileHash-SHA256 b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 2021-10-04
FileHash-SHA256 fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b 2021-10-04
domain gojihu.com 2021-10-04
domain sazoya.com 2021-10-04
domain yawero.com 2021-10-04
domain yuxicu.com 2021-10-04
References (1)
↗ https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/