Pulse Detail — Threat Intelligence

PULSE NAME

CONTInuing the Bazar Ransomware Story

WHITE AlienVault 2021-11-29 Modified: 2021-12-29

IOCs

MEDIUM VOLUME

As part of a series of reports on cyber-attacks, we look back at some of the key events that have been reported in the past year and look at how the Bazar ransomware story unfolded.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1218.010 T1218.005 T1218.011 T1567.002 T1105 T1059.005 T1059.007 T1059.001 T1055 T1486 T1482 T1047 T1021.002 T1124 T1021.001 T1566.001 T1087.002 T1087.001 T1057 T1083 T1590.005

MALWARE FAMILIES

Bazar - S0534 Net - S0039 Nltest - S0359 cmd - S0106 Tasklist - S0057 Cobalt Strike - S0154 AdFind - S0552 Conti - S0575

Indicators of Compromise (44)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 YARA domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	193b84d45dd371c6e4a501333d37349b	MD5 of 742ed8d0202aafba1c162537087a8a131cb85cde	2021-11-29
FileHash-MD5	26bd89afd5c1ba9803422d33185cef89	—	2021-11-29
FileHash-MD5	2c313c5b532c905eb8f1748a0d656ff9	—	2021-11-29
FileHash-MD5	4ba6791f2293a8bc2dfa537015829b3c	—	2021-11-29
FileHash-MD5	5840aa36b70b7c03c25e5e1266c5835b	MD5 of ea031940b2120551a6abbe125eb0536b9e4f14c8 MD5 of ea031940b2120551a6abbe125eb0536b9e4f14c8	2021-11-29
FileHash-MD5	663c8d0fe8b770b50792d10f6c07a652	—	2021-11-29
FileHash-MD5	68f9b52895f4d34e74112f3129b3b00d	MD5 of c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e	2021-11-29
FileHash-MD5	7f112bfa16a6bd344aaed28abf606780	—	2021-11-29
FileHash-MD5	84361813423910294079d0bc5b6daba2	—	2021-11-29
FileHash-MD5	9066cfcf809bb19091509a4d0f15f092	MD5 of f88a948b0fd137d4b14cf5aec0c08066cb07e08d	2021-11-29
FileHash-MD5	ab3a744545a12ba2f6789e94b789666a	—	2021-11-29
FileHash-MD5	e6c3ab2ee9a613efdf995043b140fd8e	MD5 of 33738cf695a6ac03675fe925d62ecb529ac73d03	2021-11-29
FileHash-MD5	f6f72e3d91f7b53dd75e347889a793da	MD5 of 5d4f020115a483e9e5aa9778c038466f9014c90c	2021-11-29
FileHash-SHA1	1d5f8d283ed3f6019954aa480182c9913ee49735	—	2021-11-29
FileHash-SHA1	33738cf695a6ac03675fe925d62ecb529ac73d03	—	2021-11-29
FileHash-SHA1	5d4f020115a483e9e5aa9778c038466f9014c90c	—	2021-11-29
FileHash-SHA1	70725329e4c14b39d49db349f3c84e055c111f2d	—	2021-11-29
FileHash-SHA1	742ed8d0202aafba1c162537087a8a131cb85cde	—	2021-11-29
FileHash-SHA1	c0b28fd2d5b62d5129225e8c45d368bc9e9fd415	—	2021-11-29
FileHash-SHA1	c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e	—	2021-11-29
FileHash-SHA1	c99f0fa8d5fbffe5288aaff84dbe980c412ba34e	—	2021-11-29
FileHash-SHA1	d0361fbcebe59205b2ea6a31041c89464a5e61b6	—	2021-11-29
FileHash-SHA1	d4f5cc55b6fa25f9a45ba7e968438b97e33aefbc	—	2021-11-29
FileHash-SHA1	ea031940b2120551a6abbe125eb0536b9e4f14c8	—	2021-11-29
FileHash-SHA1	eaa792a1c9f1d277af3d88bd9ea17a33275308f3	—	2021-11-29
FileHash-SHA1	f88a948b0fd137d4b14cf5aec0c08066cb07e08d	—	2021-11-29
FileHash-SHA256	01a9549c015cfcbff4a830cea7df6386dc5474fd433f15a6944b834551a2b4c9	—	2021-11-29
FileHash-SHA256	09d7fcbf95e66b242ff5d7bc76e4d2c912462c8c344cb2b90070a38d27aaef53	SHA256 of ea031940b2120551a6abbe125eb0536b9e4f14c8 SHA256 of ea031940b2120551a6abbe125eb0536b9e4f14c8	2021-11-29
FileHash-SHA256	14bccfecaaec8353e3e8f090ec1d3e9c87eb8ceb2a7abedfc47c3c980da8ad71	SHA256 of 5d4f020115a483e9e5aa9778c038466f9014c90c	2021-11-29
FileHash-SHA256	1872bf6c974e9b11040851f7d30e5326afdc8b13802891c222af4368a14f829c	—	2021-11-29
FileHash-SHA256	1edfae602f195d53b63707fe117e9c47e1925722533be43909a5d594e1ef63d3	—	2021-11-29
FileHash-SHA256	31656dcea4da01879e80dff59a1af60ca09c951fe5fc7e291be611c4eadd932a	—	2021-11-29
FileHash-SHA256	4a49cf7539f9fd5cc066dc493bf16598a38a75f7b656224db1ddd33005ad76f6	—	2021-11-29
FileHash-SHA256	6f844a6e903aa8e305e88ac0f60328c184f71a4bfbe93124981d6a4308b14610	—	2021-11-29
FileHash-SHA256	8f09c538fc587b882eecd9cfb869c363581c2c646d8c32a2f7c1ff3763dcb4e7	SHA256 of 33738cf695a6ac03675fe925d62ecb529ac73d03	2021-11-29
FileHash-SHA256	9b5d1f6a94ce122671a5956b2016e879428c74964174739b68397b6384f6ee8b	SHA256 of f88a948b0fd137d4b14cf5aec0c08066cb07e08d	2021-11-29
FileHash-SHA256	9cd3c0cff6f3ecb31c7d6bc531395ccfd374bcd257c3c463ac528703ae2b0219	—	2021-11-29
FileHash-SHA256	d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f	SHA256 of c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e	2021-11-29
FileHash-SHA256	fb38061bf601001c45aafe8d0c5feaa22c607d2ff79cfb841788519ca55a17b4	SHA256 of 742ed8d0202aafba1c162537087a8a131cb85cde	2021-11-29
YARA	40fa72a95f59775578b298b0b1184b6ee6b0653d	conti - file o4IRWsH4N1a3hjO9Sy2rPP02oyUddH7zA5xGih0ESmlhiiXD9kpWVCPfOwUnayZp_locker_x64.dll	2021-11-29
domain	checkauj.com	—	2021-11-29
domain	millscruelg.com	—	2021-11-29
domain	perdefue.fr	—	2021-11-29
hostname	www.checkauj.com	—	2021-11-29

References (1)

↗ https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/