2021-05-18 BazarCall IOCs

1. THREAT IDENTIFICATION: BAZARCALL
2.  
3. SENDERS OBSERVED
4. no-reply@justpayless.com
5.  
6. SUBJECTS OBSERVED
7. JPL82128213###### Your trial offer will expire in 48 hours. The Premium is going to be instantly extended.
8. JPL82158040###### The free trial expires in 24 hours. The Premium subscription will be automatically prolonged.
9. JPL82180618###### The demo ends in 48 hours. The Premium subscription will be instantly extended.
10.  
11. LURE PHONE NUMBER
12. +1 720 738 4572
13.  
14. MALDOC LANDING PAGE URLS
15. https://justpayless.net/
16.  
17. MALDOC DOWNLOAD URLS
18. https://justpayless.net/cancel.php
19.  
20. MALDOC (XLSB) FILE HASHES
21. cancel_sub_JPL82158040######.xlsb
22. a3b451dfbd67d0f701982b5f53906869
23.  
24. ADDITIONAL/CAMPO LOADER FILES
25. 4802545.xs2
26. cfb94c893280fd1edd40a4c74031727a
27.  
28. 4802545.xlsb
29. e3c91eeeec07ed08ff35991cd1f8926d
30.  
31. 4802545.xs1
32. e3c91eeeec07ed08ff35991cd1f8926d
33.  
34. CAMPO LOADER PAYLOAD DOWNLOAD URLS
35. http://saw1.xyz/campo/s/w
36.  
37. BAZARLOADER PAYLOAD URL
38. http://thesmartmoneyinstitute.com/wpp.exe
39.  
40. BAZARLOADER FILE HASHES
41. wpp.exe
42. 055c79de6e3f255beade0b35a0a2cd17
43.  
44. Renamed and copied to:
45. \users\all\ywgbs
46.  
47. ywgbs.exe
48. 055c79de6e3f255beade0b35a0a2cd17
49.  
50. BAZAR LOADER C2
51. 54.193.66.166
52.