2021-03-22 BazarCall IOCs

1. THREAT IDENTIFICATION: BAZARCALL
2.  
3. SENDER EMAILS
4. [email protected]
5. [email protected]
6. [email protected]
7. [email protected]
8. [email protected]
9. [email protected]
10. [email protected]
11. [email protected]
12.  
13. SUBJECTS
14. Do you want to extend your free trial KRB08074994?
15. Do you want to extend your free trial KRB24818025?
16. Do you want to extend your free trial KRB64474739?
17. Do you want to extend your free trial KRB83674096?
18. Thank you for using your free trial KRB89216886. Time to move on!
19. Thank you for using your free trial KRB98710862. Time to move on!
20. Thank you for using your free trial KRM45320547. Time to move on!
21. Want to extend your free trial KRB36649250?
22. Your free period KRB01627059 is going to end!
23. Your free period KRB03186869 is about to end!
24. Your free period KRB25140129 is about to end!
25. Your free period KRB59003336 is about to end!
26. Your free period KRB81670783 is going to end!
27. Your free trial BCS28880200 is about to end!
28. Your free trial BCS70780324 is about to end!
29. Your free trial BCS89771312 is about to end!
30. Your free trial BCS94578201 has come to end!
31. Your free trial BCS99265033 is about to end!
32. Your free trial KRB18052806 is going to end!
33. Your free trial KRB19134463 is about to end!
34. Your free trial KRB21207644 has come to end!
35. Your free trial KRB36157462 is going to end!
36. Your free trial KRB40032391 is going to end!
37. Your free trial KRB44977300 has come to end!
38. Your free trial KRB65078860 is about to end!
39. Your free trial KRB69294315 is about to end!
40. Your free trial KRB70065583 is going to end!
41. Your free trial KRB84282348 has come to end!
42. Your free trial KRB89289856 is about to end!
43. Your free trial period BCS18065350 is almost over!
44. Your free trial period BCS24846953 is almost over!
45. Your free trial period KRB03305129 is almost over!
46. Your free trial period KRB34158636 is almost over!
47. Your free trial period KRB79974962 is almost over!
48. Your free trial period KRB98161631 is almost over!
49.  
50. LURE PHONE NUMBER
51. 1 (424) 317 4380
52.  
53. MALDOC DOWNLOAD URLS
54. https://icartservice.net/unsubscribe.html
55. https://imedservice.net/unsubscribe.html
56.  
57. https://imedservice.net/request.php
58. https://icartservice.net/request.php
59.  
60. MALDOC FILE HASHES
61. subscription_1616428922.xlsb
62. 342cc30e3d3f7e2ec2009da053ae72de
63.  
64. subscription_1616428795.xlsb
65. eabb1f2f43d47c389f9b1fc956819d82
66.  
67. subscription_1616441147.xlsb
68. 1a832d0d189a7ff0f23393d5031060c1
69.  
70. subscription_1616441102.xlsb
71. 4bc7c60bacd4c0e15743821f71d689e3
72.  
73. PAYLOAD DOWNLOAD URL
74. First a post to:
75. http://gainme.xyz/campo/t/t
76.  
77. Then a GET to:
78. hgperformance.com.mx/wp-admin/e1.exe
79. hgperformance.com.mx/wp-admin/e3.exe
80. hgperformance.com.mx/wp-admin/e4.exe
81.  
82. PAYLOAD FILE HASH
83. e1.exe
84. a488537f1d95f3cbd78790059dd13bcf
85.  
86. e3.exe
87. acef650d85a7f1e7a9420b74f583d25b
88.  
89. e4.exe
90. 0f319e34515d4cc3c82401bc2a407175
91.  
92. Renamed to:
93. lkag.exe
94. a488537f1d95f3cbd78790059dd13bcf
95.  
96. ADDITIONAL TRAFFIC
97. https://35.168.81.240
98.  
99. ADDITIONAL FILES
100. I also found these files in c:\users\public:
101. 12.xlsb
102. 8d93bea298e32d2d6a2a0783c3662916
103.  
104. 12.d6
105. 8d93bea298e32d2d6a2a0783c3662916
106.  
107. 12.0
108. 1e3f69adf38ca5342b36d4c6ed566c50
109.  
110. All 3 have MZ headers
111. .d6 and .xlsb have the same file hash