Threat Intelligence – Bazarcall Malware Latest IOCs

0

The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: BAZARCALL

SENDER EMAILS
info@imedservice [.]net
marcoaurelio3351@ibest [.]com [.]br
qysedohofe@itfix [.]vn
tobolaja@gabrieljuliano [.]com [.]br
zojenoxogi@tropicana [.]st

SUBJECTS
Do you want to extend your free trial KRB44272035?
Thank you for using your free trial BCS87227489 [.] Time to move on!
Want to extend your free trial BCS19037460?
Want to extend your free trial BCS26389287?
Your free trial BCS72129127 is about to end!
Your free trial KRB51243021 is about to end!

LURE PHONE NUMBER
1 (323) 672 3498

MALDOC DOWNLOAD URLS
https://bluecartservice [.]com/unsubscribe [.]html
https://icartservice [.]org/unsubscribe [.]html
https://imedservice [.]org/unsubscribe [.]html
https://imerservice [.]net/unsubscribe [.]html
https://merservice [.]org/unsubscribe [.]html

https://bluecartservice [.]com/request [.]php
https://icartservice [.]org/request [.]php
https://imedservice [.]org/request [.]php
https://imerservice [.]net/request [.]php
https://merservice [.]org/request [.]php

bluecartservice [.]com
icartservice [.]org
imedservice [.]org
imerservice [.]net
merservice [.]org

MALDOC FILE HASHES
subscription_1616531528 [.]xlsb
60080063f20e5da0fcc38ede4407e3c6

subscription_1616531520 [.]xlsb
6ede5f75892226294dd96f001a617adb

subscription_1616531536 [.]xlsb
8a4dd9362277f1b93c3200133ad9baf0

subscription_1616531509 [.]xlsb
b7457a7bdd1c3b5fc36a07893301c525

subscription_1616531591 [.]xlsb
f37d57ac3f94710fcd4f7f1246b681a2

PAYLOAD DOWNLOAD URL
First a post to:
http://pwrpro [.]xyz/campo/t/t

Then downloads:
http://aras [.]iuc [.]ac/wp-content/plugins/wordpress-seo/css/dist/gerte523d [.]exe

PAYLOAD FILE HASH
gerte523d [.]exe
98aca6c94ef680b24885d1462ccc36af

ADDITIONAL/C2 TRAFFIC
https://52 [.]90 [.]97 [.]160

ADDITIONAL FILES
I also found these files in \Users\public:
42237 [.]j56
284f430f7d1a51630e63527ba04cb831

42237 [.]xlsb
284f430f7d1a51630e63527ba04cb831

42237 [.]h5
c041f13b892c73c76ef4fcbba60b00b5

All 3 have MZ headers
[.]j56 and [.]xlsb have the same file hash

SUPPORTING EVIDENCE
https://urlhaus [.]abuse [.]ch/browse [.]php?search=98aca6c94ef680b24885d1462ccc36af

Previous articleThreat Intelligence – IcedID Malware Latest IOCs
Next articleThreat Intelligence – Remcos Trojan Latest IOCs
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here