BazarLoader and the Conti Leaks
Tags
cmtmf-attack-pattern: Command And Scripting Interpreter Process Injection
country: France
maec-delivery-vectors: Watering Hole
attack-pattern: Data Software Discovery - T1418 Cached Domain Credentials - T1003.005 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Data From Local System - T1533 Dns - T1071.004 Dns - T1590.002 Domain Accounts - T1078.002 Domain Trust Discovery - T1482 Domains - T1583.001 Domains - T1584.001 File And Directory Discovery - T1420 Lateral Tool Transfer - T1570 Local Account - T1087.001 Local Account - T1136.001 Local Accounts - T1078.003 Local Data Staging - T1074.001 Lsass Memory - T1003.001 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Masquerade Task Or Service - T1036.004 Process Discovery - T1424 Ntds - T1003.003 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Process Hollowing - T1055.012 Process Injection - T1631 Remote Data Staging - T1074.002 Remote Desktop Protocol - T1021.001 Reversible Encryption - T1556.005 Rundll32 - T1218.011 Server - T1583.004 Server - T1584.004 Smb/Windows Admin Shares - T1021.002 Software - T1592.002 Software Discovery - T1518 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Ssh - T1021.004 Windows Remote Management - T1021.006 Windows Command Shell - T1059.003 Tool - T1588.002 Account Discovery - T1087 Command-Line Interface - T1059 Connection Proxy - T1090 Create Account - T1136 Credential Dumping - T1003 Data From Local System - T1005 Data From Network Shared Drive - T1039 Data Staged - T1074 File And Directory Discovery - T1083 Network Share Discovery - T1135 Powershell - T1086 Process Discovery - T1057 Process Hollowing - T1093 Process Injection - T1055 Remote Desktop Protocol - T1076 Remote Services - T1021 Remote System Discovery - T1018 Rundll32 - T1085 Signed Binary Proxy Execution - T1218 Spearphishing Attachment - T1193 System Owner/User Discovery - T1033 System Time Discovery - T1124 Windows Remote Management - T1028 Valid Accounts - T1078 User Execution - T1204 Remote System Discovery Spearphishing Attachment Valid Accounts User Execution
Show in Graph
Common Information
Type Value
UUID c837cf02-f9c1-4f0e-9e5e-6f2b9f54236a
Fingerprint 8702a4f96138e4f1
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 4, 2021, 1:30 a.m.
Added to db Sept. 11, 2022, 12:37 p.m.
Last updated Nov. 17, 2024, 7:44 p.m.
Headline BazarLoader and the Conti Leaks
Title BazarLoader and the Conti Leaks
Detected Hints/Tags/Attributes 191/4/173
Source URLs
Redirection Url
Details Source https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
URL Provider
Details Provider Source level domain
Details thedfirreport.com thedfirreport.com
Attributes
Details Type #Events CTI Value
Details File 1 
pwdump.txt
Details File 5 
users.csv
Details File 4 
ntdsaudit.exe
Details File 1 
pwddump.txt
Details File 10 
adf.bat
Details File 53 
adfind.exe
Details File 1 
ping.bat
Details File 5 
c:\programdata\log.txt
Details File 3 
c:\programdata\shares.txt
Details File 1 
av.txt
Details File 9 
av.bat
Details File 1 
c:\programdata\av.txt
Details File 21 
%windir%\\syswow64\\rundll32.exe
Details File 2 
skin.js
Details File 21 
%windir%\\sysnative\\rundll32.exe
Details File 1 
fam_cart.js
Details File 1 
%windir%\\sysnative\\mstsc.exe
Details File 1 
%windir%\\syswow64\\mstsc.exe
Details File 37 
rclone.exe
Details File 2 
21.dll
Details Domain 75 
tria.ge
Details Domain 1 
chatterboxtown.us
Details Domain 1 
forenzik.kz
Details Domain 3 
yawero.com
Details Domain 2 
sazoya.com
Details Domain 1 
www.sazoya.com
Details Domain 2 
gojihu.com
Details Domain 3 
yuxicu.com
Details Domain 1 
www.yuxicu.com
Details Domain 24 
mega.io
Details Domain 6 
rclone.org
Details Domain 4127 
github.com
Details Domain 219 
gist.github.com
Details Domain 1 
costura.microsoft
Details File 1122 
svchost.exe
Details File 1018 
rundll32.exe
Details File 1 
anydesk.txt
Details File 74 
mstsc.exe
Details File 27 
searchindexer.exe
Details File 1 
c:\winows\system32\searchindexer.exe
Details File 29 
c:\windows\system32\lsass.exe
Details File 36 
c:\windows\system32\ntdll.dll
Details File 20 
c:\windows\system32\kernelbase.dll
Details File 3 
c:\program files\common files\microsoft shared\ink\ipsplugin.dll
Details File 8 
21.exe
Details File 1 
37b.dll
Details File 1 
ea3612919bf05b66e9a608bee742a422.dll
Details File 256 
net.exe
Details File 59 
ntdsutil.exe
Details File 39 
anydesk.exe
Details File 2 
ekx.cfm
Details File 2 
nlog.dll
Details File 1 
commandlineutils.dll
Details File 1 
costura.sys
Details File 2 
valuetuple.dll
Details File 25 
interop.dll
Details File 2 
costura.dll
Details File 1 
costura.reg
Details File 2 
istry.dll
Details File 1 
nfluent.dll
Details File 12 
wldap32.dll
Details Github username 27 
sigmahq
Details Github username 6 
nvisosecurity
Details Github username 1 
beardofbinary
Details md5 1 
c91bde19008eefabce276152ccd51457
Details md5 1 
107030a763c7224285717ff1569a17f3
Details md5 23 
72a589da586844d7f0818ce684948eea
Details md5 3 
e35df3e00ca4ef31d42b34bebaa2f86e
Details md5 26 
a0e9f5d64349fb13191bc781f81f42e1
Details md5 14 
ae4edc6faf64d08308082ad26be60767
Details md5 1 
9ea3a4b4bf64aeaefb60ada634f7fb43
Details md5 1 
d2bb4366b7018e0ed3e7f752fc312371
Details md5 1 
742844254840eff409535494ae3ec338
Details md5 1 
1e788b5d1ff62688cfe5d2ef7832712a
Details md5 1 
d6b773f8b88be82d4de015edbf0cc2fa
Details md5 1 
362812fdbc2dc2c5a2b214f223f12096
Details md5 1 
7645b80c8627b0ba13ebc20491c82792
Details md5 1 
1fd930064b81e7c96eedb985ca2a0d97
Details md5 1 
ea3612919bf05b66e9a608bee742a422
Details md5 1 
fede0607e830aa1add8deda3d59d9a77
Details md5 1 
d46c3b4e37ba8b21a79a63fbf69c6411
Details md5 1 
16eb5134181c482824cd5814c0efd636
Details md5 1 
17b461a082950fc6332228572138b80c
Details sha1 1 
3e12312e43f4b84129023057862ee3934ca24c6d
Details sha1 1 
0dfc5ef1947a29227d994a44f33c1b0fe12598ea
Details sha1 1 
46f33bb1c629cedb52fc5d7e46525ac5ccb13aaa
Details sha1 1 
d4d88b60150088041fec4951335128031441bc5a
Details sha1 1 
7461eb3051102c76004cd58e55560044d3789d5c
Details sha1 1 
2c4c4926b3b931d4628425b309a3357c63634fc9
Details sha1 1 
05c43272a1d244413d0ef8595518b9c7601d3968
Details sha1 1 
39f7e3f5435cdfacaa89aa5ef2d4e092bde4494e
Details sha1 4 
08ca62cc8860f4660e945805d0dd615ce75258c1
Details sha1 1 
b1bfe2231dfa1fa4a46a50b4a6c67df34019e68a
Details sha256 1 
43ecc44566a599a1f5d5b5063f27fd18b34e0dc67e053570e9ad944ad3f16024
Details sha256 1 
01b164f74bde4eb7c7da8c6cd707f23ce1923da49a3deb36aea5cd6e3030c0d6
Details sha256 1 
8c7e32178cf437f4fd3d7f706066831fce2cd9bc7e2050a3cefebab05952266d
Details sha256 1 
43ac1418825ccbe33ae34c64fd036f23ef066073e4fefa2a410b53922cfc815f
Details sha256 1 
96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98
Details sha256 1 
972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39
Details sha256 1 
218e8dc823e27a3baf3dcf48831562d488c2fa2c205286ea9af8a718b246b4cb
Details sha256 4 
fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b
Details sha256 1 
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
Details sha256 1 
9eab01396985ac8f5e09b74b527279a972471f4b97b94e0a76d7563cf27f4d57
Details sha256 8 
b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682
Details IPv4 1 
35.165.197.209
Details IPv4 1 
3.101.57.185
Details IPv4 8 
185.220.100.242
Details IPv4 1 
143.244.61.217
Details IPv4 1 
70.35.205.161
Details IPv4 1 
54.177.153.230
Details IPv4 1 
45.153.240.234
Details IPv4 1 
23.106.160.77
Details IPv4 3 
192.198.86.130
Details IPv4 1 
23.106.215.61
Details IPv4 1 
23.82.19.173
Details IPv4 1 
46.38.235.14
Details MITRE ATT&CK Techniques 57 
T1036.004
Details MITRE ATT&CK Techniques 409 
T1566
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 71 
T1078.002
Details MITRE ATT&CK Techniques 695 
T1059
Details MITRE ATT&CK Techniques 420 
T1204
Details MITRE ATT&CK Techniques 460 
T1059.001
Details MITRE ATT&CK Techniques 333 
T1059.003
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 86 
T1136
Details MITRE ATT&CK Techniques 306 
T1078
Details MITRE ATT&CK Techniques 72 
T1087.001
Details MITRE ATT&CK Techniques 440 
T1055
Details MITRE ATT&CK Techniques 86 
T1055.012
Details MITRE ATT&CK Techniques 121 
T1218
Details MITRE ATT&CK Techniques 119 
T1218.011
Details MITRE ATT&CK Techniques 289 
T1003
Details MITRE ATT&CK Techniques 173 
T1003.001
Details MITRE ATT&CK Techniques 14 
T1003.005
Details MITRE ATT&CK Techniques 124 
T1482
Details MITRE ATT&CK Techniques 179 
T1087
Details MITRE ATT&CK Techniques 585 
T1083
Details MITRE ATT&CK Techniques 433 
T1057
Details MITRE ATT&CK Techniques 176 
T1135
Details MITRE ATT&CK Techniques 243 
T1018
Details MITRE ATT&CK Techniques 185 
T1518
Details MITRE ATT&CK Techniques 230 
T1033
Details MITRE ATT&CK Techniques 86 
T1124
Details MITRE ATT&CK Techniques 118 
T1570
Details MITRE ATT&CK Techniques 159 
T1021
Details MITRE ATT&CK Techniques 160 
T1021.001
Details MITRE ATT&CK Techniques 139 
T1021.002
Details MITRE ATT&CK Techniques 30 
T1021.006
Details MITRE ATT&CK Techniques 534 
T1005
Details MITRE ATT&CK Techniques 67 
T1039
Details MITRE ATT&CK Techniques 67 
T1074
Details MITRE ATT&CK Techniques 49 
T1074.001
Details MITRE ATT&CK Techniques 20 
T1074.002
Details Pdb 2 
c:\\buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\anydesk.pdb
Details Pdb 1 
c:\\code\\ntdsaudit\\src\\ntdsaudit\\obj\\release\\ntdsaudit.pdb
Details Url 1 
https://tria.ge/210716-v4jh8hf6ea/behavioral2
Details Url 1 
https://rclone.org/flags
Details Url 1 
https://rclone.org/commands/rclone_copy
Details Url 2 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_susp_adfind.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/builtin/win_account_discovery.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_malware_dridex.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml
Details Url 1 
https://github.com/nvisosecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_ntdsutil.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_advanced_ip_scanner.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_local_system_owner_account_discovery.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_net_user_add.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_connections.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml
Details Url 1 
https://github.com/sigmahq/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml
Details Url 1 
https://gist.github.com/beardofbinary/fede0607e830aa1add8deda3d59d9a77#file
Details Url 1 
https://gist.github.com/beardofbinary/d46c3b4e37ba8b21a79a63fbf69c6411#file