Threat Intelligence – Bazarcall Malware Latest IOCs

0

The malware identified first as Anchor. The anchor is a sophisticated backdoor that served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but the contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors. Due to similarities in code and usage of the two different malware families in the same intrusions. In 2020 the Bazar malware family entered and again many associated it with the same group behind Trickbot. Below are the latest indicators of compromise.

Credits : Research by ExecuteMalware

Indicators of Compromise

THREAT IDENTIFICATION: BAZARCALL

THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER

SENDER EMAILS
order@bookplace [.]com
yadirasigferlu1999@yahoo [.]com

SUBJECTS
0413759791590 [.] All set to go for a premium plan?
041505627734 [.] Are you all set to prolong your premium plan?

LURE PHONE NUMBER
+1 816 307 4271

MALDOC LANDING PAGE URLS
https://ebookreading [.]us
https://ebookstoread [.]us
https://ebooktoread [.]us
https://readebook [.]us
https://readebooks [.]us

MALDOC DOWNLOAD URLS
https://ebookreading [.]us/request [.]php
https://ebookstoread [.]us/request [.]php
https://ebooktoread [.]us/request [.]php
https://readebook [.]us/request [.]php
https://readebooks [.]us/request [.]php

MALDOC (XLSB) FILE HASHES
0b0a9695edb12b43c48bb564c6ca819d
0b98070db10ad43a4175ecebc163fe48
650080b98d356865a62d29411a33c742
88a8f60bc630f5967daa6835d76fd12c
b2456eab6fd76b5c5f4b50aace21cc2b
df8af4e4742c4cda12b3e93847fb6bfa
ed50d662465daf24f8d738912dce6bdc

DROPPED CAMPOLOADER FILES

Morning attempt

496258 [.]doh
3e7d049a6c2b5fc2433efc26fbf7247e

496258 [.]xslb
d4e23f09747b47be2f9540f4499c4085

496258 [.]dof
d4e23f09747b47be2f9540f4499c4085

Afternoon attempt:

496258 [.]xslb
f7e72deaacfad01ce83511f7a0573d42

496258 [.]dof
f7e72deaacfad01ce83511f7a0573d42

496258 [.]doh
95855134f3999425d0614e14e11ac0f8

BAZARLOADER PAYLOAD DOWNLOAD URLS
https://keep2 [.]xyz/campo/jl/jl7
https://keep2 [.]xyz/uploads/files/mraz [.]exe

BAZARLOADER PAYLOAD FILE HASH
aklhg [.]exe (renamed from mraz [.]exe)
9454f2737270b5990173d234b98895a5

ADDITONAL TRAFFIC
I saw traffic from mraz [.]exe to:
https://52 [.]26 [.]179 [.]239

I saw traffic from cmd [.]exe to:
https://3 [.]101 [.]152 [.]145

SUPPORTING EVIDENCE
https://urlhaus [.]abuse [.]ch/browse [.]php?search=9454f2737270b5990173d234b98895a5
https://www [.]virustotal [.]com/gui/file/4dc24a8bc92ce652fe90d90cfa7e1a9b4758955c79789daae6db825cbd1950a8/detection

Previous articleThreat Intelligence – Cobalt Strike Servers April 13-April 15 Latest IOCs
Next articleThreat Intelligence – Dridex Malware Latest IOCs
BalaGanesh
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here