The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.
Credits : Research by ExecuteMalware
Indicators of Compromise
THREAT IDENTIFICATION: BAZARCALL
THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER
SENDER EMAILS
order@bookplace [.]com
yadirasigferlu1999@yahoo [.]com
SUBJECTS
0413759791590 [.] All set to go for a premium plan?
041505627734 [.] Are you all set to prolong your premium plan?
LURE PHONE NUMBER
+1 816 307 4271
MALDOC LANDING PAGE URLS
https://ebookreading [.]us
https://ebookstoread [.]us
https://ebooktoread [.]us
https://readebook [.]us
https://readebooks [.]us
MALDOC DOWNLOAD URLS
https://ebookreading [.]us/request [.]php
https://ebookstoread [.]us/request [.]php
https://ebooktoread [.]us/request [.]php
https://readebook [.]us/request [.]php
https://readebooks [.]us/request [.]php
MALDOC (XLSB) FILE HASHES
0b0a9695edb12b43c48bb564c6ca819d
0b98070db10ad43a4175ecebc163fe48
650080b98d356865a62d29411a33c742
88a8f60bc630f5967daa6835d76fd12c
b2456eab6fd76b5c5f4b50aace21cc2b
df8af4e4742c4cda12b3e93847fb6bfa
ed50d662465daf24f8d738912dce6bdc
DROPPED CAMPOLOADER FILES
Morning attempt
496258 [.]doh
3e7d049a6c2b5fc2433efc26fbf7247e
496258 [.]xslb
d4e23f09747b47be2f9540f4499c4085
496258 [.]dof
d4e23f09747b47be2f9540f4499c4085
Afternoon attempt:
496258 [.]xslb
f7e72deaacfad01ce83511f7a0573d42
496258 [.]dof
f7e72deaacfad01ce83511f7a0573d42
496258 [.]doh
95855134f3999425d0614e14e11ac0f8
BAZARLOADER PAYLOAD DOWNLOAD URLS
https://keep2 [.]xyz/campo/jl/jl7
https://keep2 [.]xyz/uploads/files/mraz [.]exe
BAZARLOADER PAYLOAD FILE HASH
aklhg [.]exe (renamed from mraz [.]exe)
9454f2737270b5990173d234b98895a5
ADDITONAL TRAFFIC
I saw traffic from mraz [.]exe to:
https://52 [.]26 [.]179 [.]239
I saw traffic from cmd [.]exe to:
https://3 [.]101 [.]152 [.]145
SUPPORTING EVIDENCE
https://urlhaus [.]abuse [.]ch/browse [.]php?search=9454f2737270b5990173d234b98895a5
https://www [.]virustotal [.]com/gui/file/4dc24a8bc92ce652fe90d90cfa7e1a9b4758955c79789daae6db825cbd1950a8/detection