2021-03-25 BazarCall xlsb IOCs

1. THREAT IDENTIFICATION: BAZARCALL - .xlsb Edition
2.  
3. SENDER EMAILS
4. [email protected]
5. [email protected]
6. [email protected]
7. [email protected]
8. [email protected]
9. [email protected]
10.  
11. SUBJECTS
12. Do you want to extend your free trial KMR00418116?
13. Do you want to extend your free trial KMR13605781?
14. Do you want to extend your free trial KMR28241534?
15. Do you want to extend your free trial KMR38657965?
16. Do you want to extend your free trial KMR47187437?
17. Do you want to extend your free trial KMR59049185?
18. Do you want to extend your free trial KMR87914354?
19. Thank you for using your free trial KMR28819573. Time to move on!
20. Thank you for using your free trial KMR45337745. Time to move on!
21. Thank you for using your free trial KMR46267140. Time to move on!
22. Thank you for using your free trial KMR59828873. Time to move on!
23. Thank you for using your free trial KMR59971971. Time to move on!
24. Your free period KMR03984752 is going to end!
25. Your free period KMR08015658 is going to end!
26. Your free period KMR24280432 is going to end!
27. Your free period KMR56295629 is going to end!
28. Your free period KMR59244107 is going to end!
29. Your free period KMR83928445 is going to end!
30. Your free trial BCS18065350 has come to end!
31. Your free trial KJR21262654 is going to end!
32. Your free trial KMR08379642 is about to end!
33. Your free trial KMR32300989 is going to end!
34. Your free trial KMR54513846 is going to end!
35. Your free trial KMR69190965 is going to end!
36. Your free trial period BCS10146263 is almost over!
37. Your free trial period BCS72395253 is almost over!
38. Your free trial period KMR18215288 is almost over!
39. Your free trial period KMR69309458 is almost over!
40. Your free trial period KMR79233861 is almost over!
41.  
42. LURE PHONE NUMBER
43. 1 (209) 554 3767
44.  
45. MALDOC DOWNLOAD URLS
46. https://bluecartservice.com/unsubscribe.html
47. https://icartservice.org/unsubscribe.html
48. https://imedservice.org/unsubscribe.html
49. https://imerservice.net/unsubscribe.html
50. https://merservice.org/unsubscribe.html
51. https://edurock.org/page-help-&-support-details.html
52.  
53. https://bluecartservice.com/request.php
54. https://icartservice.org/request.php
55. https://imedservice.org/request.php
56. https://imerservice.net/request.php
57. https://merservice.org/request.php
58.  
59. bluecartservice.com
60. edurock.org
61. icartservice.org
62. imedservice.org
63. imerservice.net
64. merservice.org
65.  
66. MALDOC FILE HASHES
67. subscription_1616701470.xlsb
68. 6deb0347177942b01645fb3eaffcaaa3
69.  
70. subscription_1616701458.xlsb
71. 98438a323332d7f284414705bfbd6c1d
72.  
73. subscription_1616701481.xlsb
74. e99d785bb13f00307dba75071da7bddb
75.  
76. PAYLOAD DOWNLOAD URLS
77. http://whynt.xyz/campo/w/w
78. POSTs ping
79.  
80. then downloads from:
81. http://whynt.xyz/uploads/files/dl8x64.exe
82.  
83. PAYLOAD FILE HASH
84. dl8x64.exe
85. b5cb5ac79b76d8db06f631e4ab461074
86.  
87. ADDITIONAL/C2 TRAFFIC
88. https://3.89.160.167
89.  
90. ADDITIONAL FILES
91. Additional files
92. 1616183460
93. 91ee2afefdf066eae3aead061a8075ed
94.  
95. Found in \Users\Public
96. 12394.xps
97. 256bd88292afefc1a17a96970ff6bbfe
98.  
99. 12394.xlsb
100. 256bd88292afefc1a17a96970ff6bbfe
101.  
102. 12394.fl5
103. 5e61a7988375efe18897ff264b7c81b8
104.  
105. STRINGS RUNNING IN MEMORY
106. C:\project\kerbwe 8\Bin\x64\ReleaseDLL\degx64.pdb
107. /studio/cut_the_crup
108.  
109. More references to "Amadey"