2021-06-18 BazarCall IOCs

THREAT ATTRIBUTION:  BAZARCALL / BAZARLOADER

SENDERS OBSERVED
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

SUBJECTS OBSERVED
Your demo expires really soon, VC###############. Your premium will instantly re-new itself.
Your demo stage is almost over. Your account # VC###############. All set to continue?
Your demo stage is almost over. Your account no VC###############. All set to move ahead?
Your free trial expires really soon, VC###############. Your premium plan will immediately re-new itself.
Your free trial expires really soon, VC###############. Your premium will instantly renew itself.
Your free trial expires soon, VC###############. Your premium plan will instantly re-new itself.
Your free trial version ends soon, VC###############. Your premium plan will instantly renew itself.
Your free trial version ends soon, VC###############. Your premium will immediately re-new itself.
Your free trial version expires really soon, VC###############. Your premium will instantly re-new itself.
Your free trial version will expire really soon, VC###############. Your premium will immediately re-new itself.
Your free trial version will expire really soon, VC###############. Your premium plan will immediately renew itself.
Your free trial version will expire very soon, VC###############. Your membership will immediately renew itself.
Your premium demo is almost ended. Your account no. VC###############. Ready to move forward?
Your premium trial is almost ended. Your user account # VC###############. Ready to continue?
Your premium trial is nearly over. Your account number VC###############. Ready to continue?
Your trial offer expires very soon, VC###############. Your premium plan will instantly renew itself.
Your trial offer will expire soon, VC###############. Your premium plan will immediately re-new itself.
Your trial period is almost ended. Your user account id VC###############. All set to move forward?
Your trial period is nearly ended. Your member's account no. VC###############. Ready to move forward?
Your trial period is nearly ended. Your user account # VC###############. Ready to continue?
Your trial period is nearly over. Your membership no VC###############. All set to move ahead?

EMAIL BODY
Dear valuable <First> <Last>,

The information below will provide you with details about your premium:

Purchase id: VC###############
Subscriber full name: <First> <Last>
ZonerPhoto Premium plan/once a month: $59.99*

When the trial period runs out, you will be instantly transferred to the premium subscription.

The billing information you have indicated at initial registration is going to be used for your membership prolongation. You literally do not need to do anything at all to become our premium user.

Still have queries or perhaps you would like to change your premium? Simply call us at +1 213 401 2706

ZonerPhoto is getting over TEN thousand users from every part of the world every single day. We provide our customers with the latest photoshop technologies. Croping and editing images has never been that simple!

We really hope you will appreciate our photoshop services!

ZonerPhoto

LURE PHONE NUMBER
+1 213 401 2706

MALDOC LANDING PAGE URLS
https://vcophotos.us

MALDOC DOWNLOAD URLS
https://vcophotos.us/cancel.php

MALDOC (XLSB) FILE HASHES
cancel_sub_VC###############.xlsb
63fafcb09025a7a2e797a34934d1c3a3

BAZARLOADER PAYLOAD DOWNLOAD URLs
First call is to:
http://195.123.247.68/

which does a 302 redirect to:
http://j107dnv1y4vffm.xyz/config.php

BAZARLOADER FILE HASHES
SoDm7jQ.dll
7eae124f434ab35881285de9374775de

BAZARLOADER C2
https://13.56.226.25/food/breakfast