Threat Intelligence – Bazarcall Malware Latest IOCs

1

The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.


Credits : Research by ExecuteMalware

Indicators of Compromise

Date : 20/03/2021

THREAT IDENTIFICATION: BAZARCALL

SENDER EMAILS
[email protected] [.]net
[email protected] [.]unicornfacial [.]com

SUBJECTS
Want to extend your free trial KRM50267720B?
Want to extend your free trial RMN57030360?
Want to extend your free trial RMN75256851?
Your free trial KRM92920945 is about to end!
Your free trial RMN19210127 has come to end!

LURE PHONE NUMBER
1 (213) 261 0445

MALDOC DOWNLOAD URLS
https://icartservice [.]net/unsubscribe [.]html
https://imedservice [.]net/unsubscribe [.]html

MALDOC FILE HASHES
subscription_1616187055 [.]xlsb
7867ebc2414ca337b6a8213031e0c422

subscription_1616191079 [.]xlsb
a21b2b890883d7f4219c98a5b7f25984

subscription_1616187039 [.]xlsb
d17e780a23c19a5ce5c2a0d4abc19b55

subscription_1616191046 [.]xlsb
e91481deccd1adac7a7587ebaaa76d3c

subscription_1616187823 [.]xlsb
ff2b34767ab01242968b759d3b93161a

PAYLOAD DOWNLOAD URL
First is a POST to:
http://call2 [.]xyz/campo/j1/j1

Then:
http://call2 [.]xyz/uploads/files/ss [.]exe

PAYLOAD FILE HASH
ss [.]exe
91ee2afefdf066eae3aead061a8075ed

Renamed to:
klga [.]exe
91ee2afefdf066eae3aead061a8075ed


Previous articleThreat Intelligence – HANCITOR Malware Latest IOCs
Next articleThreat Intelligence – IcedID Malware Latest IOCs
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

1 COMMENT

LEAVE A REPLY

Please enter your comment!
Please enter your name here