PAW-PATRULES_BAZAR_KEGTAP_IP.rules

#                          KXK00OOkxxkO00KX0            
#                   ,NXKxo:,'...        ...';cdOXN:     
#                   l;. ..,:ldxkOOOOOOkkxol:,..  .o     
#                  dk  lOOOOOOkkkkkkkkkkkOOOOOOx  dk    
#              KNXOc. :0OkkkkkkkkkkkkkkkkkkkkkO0l. :kXNX
#              x. .'ckOOkkkkkkkkkkkookkkkkkkkkkOOOl,. .k
#              d. o0Okkkkkkkkkkkkk.   okkkkkkkkkkOO0k  x
#              l. c0kkkkkkko. .ckk    .kd..'xkkkkkk0x .o
#              ;, ;0kkkkkkkc    ;ko. .dk.   :kkkkkk0l ':
#              .l .OOkkkkkkkl. .lkocldkkl. 'xkkkkkOO, c.
#               l  o0kkkk:..'dkkk.    .;okkkkkkkkk0x  l 
#               .: .OOkkk;    xk,         .:kkkkkO0; ;. 
#                ;. :0kkkko;,cko            :kkkk0d .:  
#                 :  oOkkkkkkkk            .dkkk0k. :   
#                  :  dOkkkkkkk      .:odxkkkkkOk. ;    
#                   ;  oOkkkkkkx:,,ckkkkkkkkkkOx. ,     
#                    '. ;OOkkkkkkkkkkkkkkkkkOOc  '      
#                      ' .lOOkkkkkkkkkkkkkOOd. .        
#                        . .lOOkkkkkkkkkOOo' ..         
#                          ' .;dOOOkOOOx:. .            
#                            .. .,lxo;. ..              
#                                .. ..                  
#                                         
# ____   ___        __  ____       _              _           
#|  _ \ / \ \      / / |  _ \ __ _| |_ _ __ _   _| | ___  ___ 
#| |_) / _ \ \ /\ / /  | |_) / _` | __| '__| | | | |/ _ \/ __|
#|  __/ ___ \ V  V /   |  __/ (_| | |_| |  | |_| | |  __/\__ \
#|_| /_/   \_\_/\_/    |_|   \__,_|\__|_|   \__,_|_|\___||___/
#                                                             
# IDS Rules for Suricata
# 📜 Charles BLANC-ROLIN ⠵ - https://pawpatrules.fr - https://www.apssis.com - https://github.com/woundride
# Licence CC BY-NC-SA 4.0 : https://creativecommons.org/licenses/by-nc-sa/4.0/
# 🐴 Trojan Bazar / KEGTAP - IP

alert ip any any -> 195.123.222.23 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301680; rev:1; classtype:trojan-activity;)
alert ip any any -> 52.37.54.140 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301681; rev:1; classtype:trojan-activity;)
alert ip any any -> 52.90.110.55 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301682; rev:1; classtype:trojan-activity;)
alert ip any any -> 52.91.20.198 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301683; rev:1; classtype:trojan-activity;)
alert ip any any -> 54.151.74.109 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301684; rev:1; classtype:trojan-activity;)
alert ip any any -> 54.184.178.68 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301685; rev:1; classtype:trojan-activity;)
alert ip any any -> 54.193.45.225 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301686; rev:1; classtype:trojan-activity;)
alert ip any any -> 54.202.186.121 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301687; rev:1; classtype:trojan-activity;)
alert ip any any -> 208.100.26.238 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://thedfirreport.com/2021/01/31/bazar-no-ryuk/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_03, updated_at 2021_02_03; sid:3301688; rev:1; classtype:trojan-activity;)
alert ip any any -> 18.188.232.155 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301689; rev:1; classtype:trojan-activity;)
alert ip any any -> 18.191.220.165 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301690; rev:1; classtype:trojan-activity;)
alert ip any any -> 54.190.50.234 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301691; rev:1; classtype:trojan-activity;)
alert ip any any -> 54.215.217.171 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301692; rev:1; classtype:trojan-activity;)
alert ip any any -> 34.209.41.233 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301693; rev:1; classtype:trojan-activity;)
alert ip any any -> 34.220.167.220 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301694; rev:1; classtype:trojan-activity;)
alert ip any any -> 34.221.125.90 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_02_10; sid:3301695; rev:1; classtype:trojan-activity;)
alert ip any any -> 51.254.25.115 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301696; rev:2; classtype:trojan-activity;)
alert ip any any -> 193.183.98.66 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301697; rev:2; classtype:trojan-activity;)
alert ip any any -> 91.217.137.37 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301698; rev:2; classtype:trojan-activity;)
alert ip any any -> 87.98.175.85 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301699; rev:2; classtype:trojan-activity;)
alert ip any any -> 185.121.177.177 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301700; rev:2; classtype:trojan-activity;)
alert ip any any -> 169.239.202.202 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301701; rev:2; classtype:trojan-activity;)
alert ip any any -> 198.251.90.143 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301702; rev:2; classtype:trojan-activity;)
alert ip any any -> 5.132.191.104 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301703; rev:2; classtype:trojan-activity;)
alert ip any any -> 111.67.20.8 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301704; rev:2; classtype:trojan-activity;)
alert ip any any -> 163.53.248.170 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301705; rev:2; classtype:trojan-activity;)
alert ip any any -> 142.4.204.111 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301706; rev:2; classtype:trojan-activity;)
alert ip any any -> 142.4.205.47 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301707; rev:2; classtype:trojan-activity;)
alert ip any any -> 158.69.239.167 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301708; rev:2; classtype:trojan-activity;)
alert ip any any -> 104.37.195.178 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301709; rev:2; classtype:trojan-activity;)
alert ip any any -> 192.99.85.244 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301710; rev:2; classtype:trojan-activity;)
alert ip any any -> 158.69.160.164 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301711; rev:2; classtype:trojan-activity;)
alert ip any any -> 46.28.207.199 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301712; rev:2; classtype:trojan-activity;)
alert ip any any -> 31.171.251.118 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301713; rev:2; classtype:trojan-activity;)
alert ip any any -> 81.2.241.148 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301714; rev:2; classtype:trojan-activity;)
alert ip any any -> 82.141.39.32 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301715; rev:2; classtype:trojan-activity;)
alert ip any any -> 50.3.82.215 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301716; rev:2; classtype:trojan-activity;)
alert ip any any -> 46.101.70.183 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301717; rev:2; classtype:trojan-activity;)
alert ip any any -> 5.45.97.127 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301718; rev:2; classtype:trojan-activity;)
alert ip any any -> 130.255.78.223 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301719; rev:2; classtype:trojan-activity;)
alert ip any any -> 144.76.133.38 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301720; rev:2; classtype:trojan-activity;)
alert ip any any -> 139.59.208.246 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301721; rev:2; classtype:trojan-activity;)
alert ip any any -> 172.104.136.243 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301722; rev:2; classtype:trojan-activity;)
alert ip any any -> 45.71.112.70 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301723; rev:2; classtype:trojan-activity;)
alert ip any any -> 163.172.185.51 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301724; rev:2; classtype:trojan-activity;)
alert ip any any -> 5.135.183.146 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301725; rev:2; classtype:trojan-activity;)
alert ip any any -> 51.255.48.78 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301726; rev:2; classtype:trojan-activity;)
alert ip any any -> 188.165.200.156 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301727; rev:2; classtype:trojan-activity;)
alert ip any any -> 147.135.185.78 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301728; rev:2; classtype:trojan-activity;)
alert ip any any -> 92.222.97.145 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301729; rev:2; classtype:trojan-activity;)
alert ip any any -> 51.255.211.146 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301730; rev:2; classtype:trojan-activity;)
alert ip any any -> 159.89.249.249 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301731; rev:2; classtype:trojan-activity;)
alert ip any any -> 104.238.186.189 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301732; rev:2; classtype:trojan-activity;)
alert ip any any -> 139.59.23.241 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301733; rev:2; classtype:trojan-activity;)
alert ip any any -> 94.177.171.127 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301734; rev:2; classtype:trojan-activity;)
alert ip any any -> 45.63.124.65 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301735; rev:2; classtype:trojan-activity;)
alert ip any any -> 212.24.98.54 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301736; rev:2; classtype:trojan-activity;)
alert ip any any -> 178.17.170.179 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301737; rev:2; classtype:trojan-activity;)
alert ip any any -> 185.208.208.141 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301738; rev:2; classtype:trojan-activity;)
alert ip any any -> 82.196.9.45 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301739; rev:2; classtype:trojan-activity;)
alert ip any any -> 146.185.176.36 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301740; rev:2; classtype:trojan-activity;)
alert ip any any -> 89.35.39.64 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301741; rev:2; classtype:trojan-activity;)
alert ip any any -> 89.18.27.167 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301742; rev:2; classtype:trojan-activity;)
alert ip any any -> 77.73.68.161 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301743; rev:2; classtype:trojan-activity;)
alert ip any any -> 185.117.154.144 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301744; rev:2; classtype:trojan-activity;)
alert ip any any -> 176.126.70.119 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301745; rev:2; classtype:trojan-activity;)
alert ip any any -> 139.99.96.146 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301746; rev:2; classtype:trojan-activity;)
alert ip any any -> 217.12.210.54 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301747; rev:2; classtype:trojan-activity;)
alert ip any any -> 185.164.136.225 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301748; rev:2; classtype:trojan-activity;)
alert ip any any -> 192.52.166.110 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301749; rev:2; classtype:trojan-activity;)
alert ip any any -> 63.231.92.27 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301750; rev:2; classtype:trojan-activity;)
alert ip any any -> 66.70.211.246 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301751; rev:2; classtype:trojan-activity;)
alert ip any any -> 96.47.228.108 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301752; rev:2; classtype:trojan-activity;)
alert ip any any -> 45.32.160.206 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301753; rev:2; classtype:trojan-activity;)
alert ip any any -> 128.52.130.209 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301754; rev:2; classtype:trojan-activity;)
alert ip any any -> 35.196.105.24 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301755; rev:2; classtype:trojan-activity;)
alert ip any any -> 172.98.193.42 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301756; rev:2; classtype:trojan-activity;)
alert ip any any -> 162.248.241.94 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301757; rev:2; classtype:trojan-activity;)
alert ip any any -> 107.172.42.186 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301758; rev:2; classtype:trojan-activity;)
alert ip any any -> 167.99.153.82 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301759; rev:2; classtype:trojan-activity;)
alert ip any any -> 138.197.25.214 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301760; rev:2; classtype:trojan-activity;)
alert ip any any -> 69.164.196.21 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301761; rev:2; classtype:trojan-activity;)
alert ip any any -> 192.71.245.208 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301762; rev:2; classtype:trojan-activity;)
alert ip any any -> 185.120.22.15 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301763; rev:2; classtype:trojan-activity;)
alert ip any any -> 45.71.185.100 53 (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_02_10, updated_at 2021_03_12; sid:3301764; rev:2; classtype:trojan-activity;)
alert ip any any -> 50.87.232.245 any (msg:"🐾 - 🚨 Connection to ↗ 🎛 C2 Cobalt Strike - KEGTAP / BazarLoader / BazarBackdoor"; reference: url,https://cofense.com/blog/bazarbackdoor-stealthy-infiltration; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2021_03_12, updated_at 2021_03_12; sid:3301765; rev:1; classtype:trojan-activity;)
alert ip any any -> 159.223.31.75 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://thedfirreport.com/2021/12/13/diavol-ransomware/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_02_14, updated_at 2022_02_14; sid:3301766; rev:1; classtype:trojan-activity;)
alert ip any any -> 206.189.49.239 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://thedfirreport.com/2021/12/13/diavol-ransomware/; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_02_14, updated_at 2022_02_14; sid:3301767; rev:1; classtype:trojan-activity;)
alert ip any any -> 45.15.131.126 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://abnormalsecurity.com/blog/bazarloader-contact-form; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_03_16, updated_at 2022_03_16; sid:3301768; rev:1; classtype:trojan-activity;)
alert ip any any -> 148.163.42.203 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://abnormalsecurity.com/blog/bazarloader-contact-form; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_03_16, updated_at 2022_03_16; sid:3301769; rev:1; classtype:trojan-activity;)
alert ip any any -> 45.41.204.150 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://abnormalsecurity.com/blog/bazarloader-contact-form; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_03_16, updated_at 2022_03_16; sid:3301770; rev:1; classtype:trojan-activity;)
alert ip any any -> 193.169.86.84 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://abnormalsecurity.com/blog/bazarloader-contact-form; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_03_16, updated_at 2022_03_16; sid:3301771; rev:1; classtype:trojan-activity;)
alert ip any any -> 76.6.231.20 any (msg:"🐾 - 🚨 Connection to an IP address flagged at BazarLoader"; reference: url,https://abnormalsecurity.com/blog/bazarloader-contact-form; reference: url,https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor; metadata:created_at 2022_03_16, updated_at 2022_03_16; sid:3301772; rev:1; classtype:trojan-activity;)