Network Forensics of Contact Forms BazarLoader and Cobalt Strike Based on PCAP File Analysis

Abstract

This study presents a forensic analysis of the PCAP file 2021-12-03-Contact-Forms-BazarLoader-with-Cobalt-Strike to identify Indicators of Compromise (IoCs) and attack patterns associated with the BazarLoader malware family. Using Wireshark for packet inspection and VirusTotal for threat intelligence validation, several critical findings were observed. First, suspicious communication was detected with the domain mordister.top, flagged as malicious by 4 out of 97 security vendors. Second, evidence of Server Message Block (SMB) activity on port 445 indicated potential lateral movement within the network. Third, beaconing patterns were identified toward a Command and Control (C2) server via port 443, leveraging encrypted traffic to evade detection. These artifacts highlight the multi-stage nature of the infection chain, where BazarLoader facilitates the deployment of Cobalt Strike as a post-exploitation tool. The results demonstrate that early detection of BazarLoader infections can be achieved through multi-layered forensic analysis, combining network traffic inspection with external threat intelligence sources. Accuracy testing of the proposed detection approach yielded a rate of 92%, underscoring its effectiveness in identifying malicious activity at an early stage. This research contributes to the broader field of network forensics by providing actionable IoCs and detection strategies that can be integrated into security operations centers (SOCs) to mitigate risks posed by advanced malware campaigns.