Threat Intelligence – Bazarcall Malware Latest IOCs

By
BalaGanesh
-
0

The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: BAZARCALL – [.]xlsb Edition

SENDER EMAILS
gmorpeth@bonitaspringsmb [.]com
info@icartservice [.]com
krishan@kingsafari [.]in
nadirrodrigues@ibest [.]com [.]br
site@icartservice [.]com
xohanikywu@dentaliglesias [.]com

SUBJECTS
Do you want to extend your free trial KMR00418116?
Do you want to extend your free trial KMR13605781?
Do you want to extend your free trial KMR28241534?
Do you want to extend your free trial KMR38657965?
Do you want to extend your free trial KMR47187437?
Do you want to extend your free trial KMR59049185?
Do you want to extend your free trial KMR87914354?
Thank you for using your free trial KMR28819573 [.] Time to move on!
Thank you for using your free trial KMR45337745 [.] Time to move on!
Thank you for using your free trial KMR46267140 [.] Time to move on!
Thank you for using your free trial KMR59828873 [.] Time to move on!
Thank you for using your free trial KMR59971971 [.] Time to move on!
Your free period KMR03984752 is going to end!
Your free period KMR08015658 is going to end!
Your free period KMR24280432 is going to end!
Your free period KMR56295629 is going to end!
Your free period KMR59244107 is going to end!
Your free period KMR83928445 is going to end!
Your free trial BCS18065350 has come to end!
Your free trial KJR21262654 is going to end!
Your free trial KMR08379642 is about to end!
Your free trial KMR32300989 is going to end!
Your free trial KMR54513846 is going to end!
Your free trial KMR69190965 is going to end!
Your free trial period BCS10146263 is almost over!
Your free trial period BCS72395253 is almost over!
Your free trial period KMR18215288 is almost over!
Your free trial period KMR69309458 is almost over!
Your free trial period KMR79233861 is almost over!

LURE PHONE NUMBER
1 (209) 554 3767

MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html
https://edurock [.]org/page-help-&-support-details [.]html

https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php

bluecartservice [.]com
edurock [.]org
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org

MALDOC FILE HASHES
subscription_1616701470 [.]xlsb
6deb0347177942b01645fb3eaffcaaa3

subscription_1616701458 [.]xlsb
98438a323332d7f284414705bfbd6c1d

subscription_1616701481 [.]xlsb
e99d785bb13f00307dba75071da7bddb

PAYLOAD DOWNLOAD URLS
http://whynt [.]xyz/campo/w/w
POSTs ping

then downloads from:
http://whynt [.]xyz/uploads/files/dl8x64 [.]exe

PAYLOAD FILE HASH
dl8x64 [.]exe
b5cb5ac79b76d8db06f631e4ab461074

ADDITIONAL/C2 TRAFFIC
https://3 [.]89 [.]160 [.]167

ADDITIONAL FILES
Additional files
1616183460
91ee2afefdf066eae3aead061a8075ed

Found in \Users\Public
12394 [.]xps
256bd88292afefc1a17a96970ff6bbfe

12394 [.]xlsb
256bd88292afefc1a17a96970ff6bbfe

12394 [.]fl5
5e61a7988375efe18897ff264b7c81b8

STRINGS RUNNING IN MEMORY
C:\project\kerbwe 8\Bin\x64\ReleaseDLL\degx64 [.]pdb
/studio/cut_the_crup

More references to “Amadey”

THREAT IDENTIFICATION: BAZARCALL – doc File Edition

Credits : Research by ExecuteMalware

SENDER EMAILS
gmorpeth@bonitaspringsmb [.]com
info@icartservice [.]com
krishan@kingsafari [.]in
nadirrodrigues@ibest [.]com [.]br
site@icartservice [.]com
xohanikywu@dentaliglesias [.]com

SUBJECTS
Do you want to extend your free trial KMR00418116?
Do you want to extend your free trial KMR13605781?
Do you want to extend your free trial KMR28241534?
Do you want to extend your free trial KMR38657965?
Do you want to extend your free trial KMR47187437?
Do you want to extend your free trial KMR59049185?
Do you want to extend your free trial KMR87914354?
Thank you for using your free trial KMR28819573 [.] Time to move on!
Thank you for using your free trial KMR45337745 [.] Time to move on!
Thank you for using your free trial KMR46267140 [.] Time to move on!
Thank you for using your free trial KMR59828873 [.] Time to move on!
Thank you for using your free trial KMR59971971 [.] Time to move on!
Your free period KMR03984752 is going to end!
Your free period KMR08015658 is going to end!
Your free period KMR24280432 is going to end!
Your free period KMR56295629 is going to end!
Your free period KMR59244107 is going to end!
Your free period KMR83928445 is going to end!
Your free trial BCS18065350 has come to end!
Your free trial KJR21262654 is going to end!
Your free trial KMR08379642 is about to end!
Your free trial KMR32300989 is going to end!
Your free trial KMR54513846 is going to end!
Your free trial KMR69190965 is going to end!
Your free trial period BCS10146263 is almost over!
Your free trial period BCS72395253 is almost over!
Your free trial period KMR18215288 is almost over!
Your free trial period KMR69309458 is almost over!
Your free trial period KMR79233861 is almost over!

LURE PHONE NUMBER
1 (209) 554 3767

MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html
https://edurock [.]org/page-help-&-support-details [.]html

https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php

bluecartservice [.]com
edurock [.]org
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org

MALDOC FILE HASHES
subscription_1616701441 [.]doc
8f124c70da0662e24291511479162932

DFSLOADNG [.]CMD
06ff51c4f8f08ffd5d002fdc60c7e20d

Students11 [.]vbs
9f95caa013fecdebef5934e9291a1419

PAYLOAD FILE HASH
t12 [.]dll
75fabcbbb10bb8f5e518f3fe39f4833d

ADDITIONAL/C2 TRAFFIC
https://lokoloppo1 [.]com
185 [.]189 [.]151 [.]108:443

https://lokoloppo2 [.]com
185 [.]212 [.]47 [.]104:443

Previous articleThreat Intelligence – Bazarcall Malware Latest IOCs
Next articleThreat Intelligence – Hancitor & Bazarcall Latest IOCs
BalaGanesh
BalaGanesh
https://www.socinvestigation.com
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here