2021-05-20 BazarCall IOCs

1. THREAT IDENTIFICATION: BAZARCALL / TRICKBOT
2.  
3. SENDERS OBSERVED
4. None
5.  
6. SUBJECTS OBSERVED
7. None
8.  
9. LURE PHONE NUMBER
10. Unknown
11.  
12. MALDOC LANDING PAGE URLS
13. https://justpayless.us/
14.  
15. MALDOC DOWNLOAD URLS
16. https://justpayless.us/cancel.php
17.  
18. MALDOC (XLSB) FILE HASHES
19. cancel_sub_JPL8295##########.xlsb
20. db3591a2399045b6bb5f44e49ac240b1
21.  
22. ADDITIONAL/CAMPO LOADER FILES
23. 5015.x2
24. e823e06ea0c70beed8761338108c1b9b
25.  
26. 5015.xlsb
27. ac93399749a63a9c3584ae48a586cde8
28.  
29. 5015.x1
30. ac93399749a63a9c3584ae48a586cde8
31.  
32. CAMPO LOADER PAYLOAD DOWNLOAD URLS
33. http://176.111.174.80/campo/u/n3
34.  
35. PAYLOAD DOWNLOAD URL
36. http://bargemaster.in/yas30vbdrfdE.dll
37.  
38. TRICKBOT FILE HASHES
39. yas30vbdrfdE.dll
40. 60a7f90fa282934e3054d0d5cb00bb98
41.  
42. Renamed and copied:
43. itjbn.dll
44. 60a7f90fa282934e3054d0d5cb00bb98
45.  
46. TRICKBOT GTAG
47. gtag: yas30
48.  
49. TRICKBOT C2s
50. https://181.176.174.139
51. https://181.176.221.151
52. https://182.16.165.38
53. https://185.138.78.73
54. https://185.242.88.63
55. https://185.242.89.198
56. https://186.32.3.108
57. https://186.46.168.46
58. https://188.137.76.235
59. https://188.254.102.79
60. https://190.255.36.100
61. https://190.96.84.250
62. https://200.170.149.209
63. https://200.58.84.94
64. https://203.80.171.162
65. https://203.80.171.189
66. https://206.192.254.100
67. https://31.129.228.122
68. https://36.71.150.118
69. https://36.91.98.231
70. https://36.95.4.29
71. https://41.189.214.11
72. https://43.225.148.118
73. https://45.182.190.142
74. https://45.234.248.146
75. https://45.7.56.172
76.  
77. SUPPORTING EVIDENCE
78. https://tria.ge/210520-qwfdf1za9s