Threat Intelligence – Bazarcall / Bazar Loader Malware Latest IOCs

0

The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.


Credits : Research by ExecuteMalware

Indicators of Compromise
THREAT IDENTIFICATION:  BAZAR CALL / BAZAR LOADER
 
SENDER EMAILS
 [email protected] [.]com
 [email protected] [.]us
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]fr
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]celticwindmilltrucking [.]com
 [email protected] [.]org
 [email protected] [.]cityofblum [.]org
 [email protected] [.]com
 [email protected] [.]com
 [email protected] [.]org
 [email protected] [.]fr
 [email protected] [.]info
 [email protected] [.]com
 SUBJECTS
 Do you want to extend your free period ###########?
 Free trial period for ############ will end in 3 days
 Free trial period for ############ will end in three days
 Thank you for using your free period ########### [.] Time to move on!
 Your free period ########### is about to be over!
 Your free period ########### is about to end!
 Your free period ########### is almost over!
 Your free period ########### is going to end!
 Your free trial ########### is about to end!
 Your free trial ########### is going to end!
 Your free trial period ########### is almost finished
 Your free trial period ########### is almost over!
 LURE PHONE NUMBER
 1 (213) 401 9021
 1 (657) 220 1695
 MALDOC DOWNLOAD URLS
 getmers [.]us
 https://gtmers [.]xyz/unsubscribe [.]html
 Result = 404
 gobcs [.]us
 https://gobcss [.]xyz/unsubscribe [.]html
 Result =  [.]xlsb
 geticart [.]us
 https://igetcart [.]xyz/unsubscribe [.]html
 Result =  [.]xlsb
 https://goimed [.]us/
 https://goimed [.]us/unsubscribe [.]html
 Result = 404
 buyimers [.]us
 https://buymers [.]xyz/unsubscribe [.]html
 Result =  [.]xlsb
 getmers [.]us
 gobcs [.]us
 geticart [.]us
 goimed [.]us
 buyimers [.]us
 MALDOC (XLSB) FILE HASHES
 562f79b140956396a2565ceb517bd4c3
 5fd381f999d95ce87bd371855c12b918
 61f088075376c04815f611dc0a60882e
 687b33fe6d8101cd86f27754a04b38e9
 aca3073d2fa419834bd1998806103dca
 fe9b3d6f7c68e6d2ac10aec454051267
 PAYLOAD DOWNLOAD URLS
 http://about2 [.]xyz/campo/a/a1
 http://about2 [.]xyz/uploads/files/rl103 [.]exe 
 PAYLOAD FILE HASHES
 rl103 [.]exe
 4bf479d0fcb081c8ab68c41d848d593d
 renamed to:
 fjlq [.]exe
 4bf479d0fcb081c8ab68c41d848d593d
 ADDITIONAL TRAFFIC
 https://18 [.]223 [.]206 [.]249
 https://3 [.]86 [.]82 [.]29
 ADDITIONAL FILE HASHES FROM PAYLOAD DOMAIN
 yer5e [.]exe
 fae1cf371d316ddd6918efda8b993f72
 rety5r2 [.]exe
 88df8e94cd1738d631974c9aff361c8f
 ret5er [.]exe
 68defeb5cbf90fac11e4db64d2e39ab5

Previous articleThreat Intelligence – HANCITOR Malware Latest IOCs
Next articleThreat Intelligence – Bazarcall & Hancitor Latest IOCs
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here