Threat Intelligence – Bazarcall Malware Latest IOCs

2

The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.


Credits : Research by ExecuteMalware

THREAT IDENTIFICATION: BAZARCALL

SENDER EMAILS
[email protected] [.]com
[email protected] [.]com

SUBJECTS
Your premium plan demo expires in 24 hours 0408########
Your current premium demo expires in 48 hours 0408########
Your current premium plan trial ends in 24 hours 0408########
Your current premium plan trial ends in 24 hours 0408########
Your premium demo expires in 3 days 0408#########
Your current premium plan trial ends in 24 hours 0408########
Your current premium trial ends in 48 hours 0408########
Your current premium trial expires in 3 days 0408########

LURE PHONE NUMBER
+1 901 584 0490

MALDOC LANDING PAGE URLS
https://bookpoint [.]us
https://bookspoint [.]us
https://pointbook [.]us
https://pointbooks [.]us
https://subsbookpoint [.]us
https://worldbookpoint [.]com

bookpoint [.]us
bookspoint [.]us
pointbook [.]us
pointbooks [.]us
subsbookpoint [.]us
worldbookpoint [.]com

MALDOC DOWNLOAD URLS
https://bokpoint [.]xyz/unsubscribe
https://bokspoint [.]xyz/unsubscribe
https://pointbok [.]xyz/unsubscribe
https://pointboks [.]xyz/unsubscribe

bokpoint [.]xyz
bokspoint [.]xyz
pointbok [.]xyz
pointboks [.]xyz

MALDOC (XLSB) FILE HASHES
713ff91d0faecdc317dbdb22cf30afe3
7c06f05b2d96542bc7a6997c5e3f4cb4
9d39f307b0d6276450038cca7568b2cc
a18c5031cb91caf0818448ec313773f5
dd0068e6af3b638e96b09a2e0ec6f051

PAYLOAD DOWNLOAD URLS
http://dance4 [.]xyz/campo/d8/d9

ADDITIONAL DROPPED FILES
14118 [.]doy
61f9ff7edf0a1ff6888e541124226553

14118 [.]xlsb
61f9ff7edf0a1ff6888e541124226553

14118 [.]biy
0d90eb265cfe49b20037673845bd0c3c

Credits : Research by ExecuteMalware

THREAT IDENTIFICATION: BAZARCALL

SENDER EMAILS
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com
[email protected] [.]com

SUBJECTS
Your current premium demo ends in 24 hours 0407#########
Your current premium plan demo comes to an end in 48 hours 0407#########
Your current premium plan demo expires in 24 hours 0407#########
Your current premium plan trial comes to an end in 48 hours 0407#########
Your current premium trial comes to an end in 24 hours 0407#########
Your current premium trial expires in 48 hours 0407#########
Your premium demo ends in 24 hours 0407#########
Your premium demo ends in 24 hours 0407#########
Your premium demo expires in 1 day 0407#########
Your premium plan demo comes to an end in 1 day 0407#########
Your premium plan demo ends in 24 hours 0407#########
Your premium plan demo ends in 24 hours 0407#########
Your premium plan demo ends in 3 days 0407#########
Your premium plan demo ends in 3 days 0407#########
Your premium trial comes to an end in 3 days 0407#########

LURE PHONE NUMBER
+1 929 224 5129
+1 901 584 0490
+1 816 307 4271
+1 909 741 1518

MALDOC LANDING PAGE URLS
https://bookpoint [.]us
https://bookspoint [.]us
https://pointbook [.]us
https://pointbooks [.]us
https://subsbookpoint [.]us

bookpoint [.]us
bookspoint [.]us
pointbook [.]us
pointbooks [.]us
subsbookpoint [.]us

MALDOC DOWNLOAD URLS
https://bokpoint [.]xyz/unsubscribe
https://bokspoint [.]xyz/unsubscribe
https://pointbok [.]xyz/unsubscribe
https://pointboks [.]xyz/unsubscribe (down)

bokpoint [.]xyz
bokspoint [.]xyz
pointbok [.]xyz
pointboks [.]xyz

MALDOC (XLSB) FILE HASHES
0cdbb13bee293bc76871ab81e019930e
8e1cdb7400d9743032e4a85721231519
d14a8f12b56c25e48bee497f91a4c4be
ea9ba57db7701e9d59284522367b7482

PAYLOAD DOWNLOAD URLS
http://basket2 [.]xyz/campo/u/u1


Previous articleSolarwinds Hack – Mapping the Indicators to Mitre att&ck framework
Next articleThreat Intelligence – HANCITOR Malware Latest IOCs
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

2 COMMENTS

    • Run Wireshark , procmon , etc tools and check the malware behavior or simple step is to open CMD > netstat -ano
      that should give you list of ip’s your system is communicating

LEAVE A REPLY

Please enter your comment!
Please enter your name here