Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: BAZARCALL
- SENDER EMAILS
- info@imedservice.net
- marcoaurelio3351@ibest.com.br
- qysedohofe@itfix.vn
- tobolaja@gabrieljuliano.com.br
- zojenoxogi@tropicana.st
- SUBJECTS
- Do you want to extend your free trial KRB44272035?
- Thank you for using your free trial BCS87227489. Time to move on!
- Want to extend your free trial BCS19037460?
- Want to extend your free trial BCS26389287?
- Your free trial BCS72129127 is about to end!
- Your free trial KRB51243021 is about to end!
- LURE PHONE NUMBER
- 1 (323) 672 3498
- MALDOC DOWNLOAD URLS
- https://bluecartservice.com/unsubscribe.html
- https://icartservice.org/unsubscribe.html
- https://imedservice.org/unsubscribe.html
- https://imerservice.net/unsubscribe.html
- https://merservice.org/unsubscribe.html
- https://bluecartservice.com/request.php
- https://icartservice.org/request.php
- https://imedservice.org/request.php
- https://imerservice.net/request.php
- https://merservice.org/request.php
- bluecartservice.com
- icartservice.org
- imedservice.org
- imerservice.net
- merservice.org
- MALDOC FILE HASHES
- subscription_1616531528.xlsb
- 60080063f20e5da0fcc38ede4407e3c6
- subscription_1616531520.xlsb
- 6ede5f75892226294dd96f001a617adb
- subscription_1616531536.xlsb
- 8a4dd9362277f1b93c3200133ad9baf0
- subscription_1616531509.xlsb
- b7457a7bdd1c3b5fc36a07893301c525
- subscription_1616531591.xlsb
- f37d57ac3f94710fcd4f7f1246b681a2
- PAYLOAD DOWNLOAD URL
- First a post to:
- http://pwrpro.xyz/campo/t/t
- Then downloads:
- http://aras.iuc.ac/wp-content/plugins/wordpress-seo/css/dist/gerte523d.exe
- PAYLOAD FILE HASH
- gerte523d.exe
- 98aca6c94ef680b24885d1462ccc36af
- ADDITIONAL/C2 TRAFFIC
- https://52.90.97.160
- ADDITIONAL FILES
- I also found these files in \Users\public:
- 42237.j56
- 284f430f7d1a51630e63527ba04cb831
- 42237.xlsb
- 284f430f7d1a51630e63527ba04cb831
- 42237.h5
- c041f13b892c73c76ef4fcbba60b00b5
- All 3 have MZ headers
- .j56 and .xlsb have the same file hash
- SUPPORTING EVIDENCE
- https://urlhaus.abuse.ch/browse.php?search=98aca6c94ef680b24885d1462ccc36af
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement