API tools faq
paste
Advertisement
ExecuteMalware

2021-03-23 BazarCall PM IOCs

ExecuteMalware
Mar 23rd, 2021
3,940
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.01 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: BAZARCALL
  2.  
  3. SENDER EMAILS
  4. info@imedservice.net
  5. marcoaurelio3351@ibest.com.br
  6. qysedohofe@itfix.vn
  7. tobolaja@gabrieljuliano.com.br
  8. zojenoxogi@tropicana.st
  9.  
  10. SUBJECTS
  11. Do you want to extend your free trial KRB44272035?
  12. Thank you for using your free trial BCS87227489. Time to move on!
  13. Want to extend your free trial BCS19037460?
  14. Want to extend your free trial BCS26389287?
  15. Your free trial BCS72129127 is about to end!
  16. Your free trial KRB51243021 is about to end!
  17.  
  18. LURE PHONE NUMBER
  19. 1 (323) 672 3498
  20.  
  21. MALDOC DOWNLOAD URLS
  22. https://bluecartservice.com/unsubscribe.html
  23. https://icartservice.org/unsubscribe.html
  24. https://imedservice.org/unsubscribe.html
  25. https://imerservice.net/unsubscribe.html
  26. https://merservice.org/unsubscribe.html
  27.  
  28. https://bluecartservice.com/request.php
  29. https://icartservice.org/request.php
  30. https://imedservice.org/request.php
  31. https://imerservice.net/request.php
  32. https://merservice.org/request.php
  33.  
  34. bluecartservice.com
  35. icartservice.org
  36. imedservice.org
  37. imerservice.net
  38. merservice.org
  39.  
  40. MALDOC FILE HASHES
  41. subscription_1616531528.xlsb
  42. 60080063f20e5da0fcc38ede4407e3c6
  43.  
  44. subscription_1616531520.xlsb
  45. 6ede5f75892226294dd96f001a617adb
  46.  
  47. subscription_1616531536.xlsb
  48. 8a4dd9362277f1b93c3200133ad9baf0
  49.  
  50. subscription_1616531509.xlsb
  51. b7457a7bdd1c3b5fc36a07893301c525
  52.  
  53. subscription_1616531591.xlsb
  54. f37d57ac3f94710fcd4f7f1246b681a2
  55.  
  56. PAYLOAD DOWNLOAD URL
  57. First a post to:
  58. http://pwrpro.xyz/campo/t/t
  59.  
  60. Then downloads:
  61. http://aras.iuc.ac/wp-content/plugins/wordpress-seo/css/dist/gerte523d.exe
  62.  
  63. PAYLOAD FILE HASH
  64. gerte523d.exe
  65. 98aca6c94ef680b24885d1462ccc36af
  66.  
  67. ADDITIONAL/C2 TRAFFIC
  68. https://52.90.97.160
  69.  
  70. ADDITIONAL FILES
  71. I also found these files in \Users\public:
  72. 42237.j56
  73. 284f430f7d1a51630e63527ba04cb831
  74.  
  75. 42237.xlsb
  76. 284f430f7d1a51630e63527ba04cb831
  77.  
  78. 42237.h5
  79. c041f13b892c73c76ef4fcbba60b00b5
  80.  
  81. All 3 have MZ headers
  82. .j56 and .xlsb have the same file hash
  83.  
  84. SUPPORTING EVIDENCE
  85. https://urlhaus.abuse.ch/browse.php?search=98aca6c94ef680b24885d1462ccc36af
  86.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!