API tools faq
paste
ExecuteMalware

2021-03-24 BazarCall IOCs

ExecuteMalware
Mar 24th, 2021 (edited)
13,954
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.19 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: BAZARCALL
  2.  
  3. SENDER EMAILS
  4. info@icartservice.com
  5. info@icartservice.net
  6. newtonmeddr@ibest.com.br
  7. suarezrosana@ibest.com.br
  8. tobema@homebyasa.nl
  9. tyfoda@testwp.kimze-online.com
  10.  
  11. SUBJECTS
  12. Do you want to extend your free trial KJR82250995?
  13. Thank you for using your free trial BCS49108273. Time to move on!
  14. Want to extend your free trial BCS87227489?
  15. Want to extend your free trial BCS94578201?
  16. Your free trial BCS74922261 has come to end!
  17. Your free trial KJR05696670 is going to end!
  18. Your free trial KJR20362849 is going to end!
  19. Your free trial KJR38012845 is going to end!
  20. Your free trial KJR90622295 is going to end!
  21. Your free trial RMN70575496 has come to end!
  22.  
  23. LURE PHONE NUMBER
  24. 1 (213) 261-0445
  25. 1 (661) 501-2041
  26.  
  27. MALDOC DOWNLOAD URLS
  28. https://bluecartservice.com/unsubscribe.html
  29. https://icartservice.org/unsubscribe.html
  30. https://imedservice.org/unsubscribe.html
  31. https://imerservice.net/unsubscribe.html
  32. https://merservice.org/unsubscribe.html
  33.  
  34. https://bluecartservice.com/request.php
  35. https://icartservice.org/request.php
  36. https://imedservice.org/request.php
  37. https://imerservice.net/request.php
  38. https://merservice.org/request.php
  39.  
  40. bluecartservice.com
  41. icartservice.org
  42. imedservice.org
  43. imerservice.net
  44. merservice.org
  45.  
  46. MALDOC FILE HASHES
  47. 04021a582f12c54e1023fdcee600111c
  48. 38c3650fbd0f86a03b6791aebe9d0c46
  49. 3b96e081be068d210a85b55925372567
  50. 412db47e93b22ec47c672910e1f85170
  51. a5e1db7b40b1df187d7c4f227ffb316c
  52. a8640287aac9c6468ac03f412382a839
  53. e318ef00212305129aca499d569a741b
  54. fc310563e9b0628f6b5a8567bf3b5133
  55.  
  56. PAYLOAD DOWNLOAD URL
  57. First a post to:
  58. http://gopigs.xyz/campo/u/u
  59.  
  60. Then downloads:
  61. http://nommac.com/malta-app/Malta/node_modules/postcss-merge-rules/dist/retrsd25.exe
  62.  
  63. PAYLOAD FILE HASH
  64. retrsd25.exe
  65. 78388676e1ebde4576357c3727a51787
  66.  
  67. ADDITIONAL FILES
  68. I also found these files in \Users\public:
  69.  
  70. 42237.j56
  71. 0ddece3ffa94e0acffddf867f001a644
  72.  
  73. 42237.xlsb
  74. 0ddece3ffa94e0acffddf867f001a644
  75.  
  76. 42237.h5
  77. 1462605ccb643532a25098e7fbe323cb
  78.  
  79. And then later:
  80. 42237.j56
  81. c056b7d3999d5110ff1d3bb9c29655b8
  82.  
  83. 42237.xlsb
  84. c056b7d3999d5110ff1d3bb9c29655b8
  85.  
  86. 42237.h5
  87. e80bb5df25aeff934df851df566e3775
  88.  
  89. All have MZ headers
  90. .j56 and .xlsb have the same file hash
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!