SHOW:
|
|
- or go back to the newest paste.
| 1 | THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER | |
| 2 | ||
| 3 | SENDERS OBSERVED | |
| 4 | N/A | |
| 5 | ||
| 6 | SUBJECTS OBSERVED | |
| 7 | N/A | |
| 8 | ||
| 9 | LURE PHONE NUMBER | |
| 10 | UNKNOWN | |
| 11 | ||
| 12 | MALDOC LANDING PAGE URLS | |
| 13 | https://bomovie.net/ | |
| 14 | https://bomovie.net/FAQ | |
| 15 | https://bomovie.net/subscribe | |
| 16 | https://bomovie.net/account | |
| 17 | ||
| 18 | MALDOC DOWNLOAD URLS | |
| 19 | https://bomovie.net/cancel.php | |
| 20 | ||
| 21 | MALDOC (XLSB) FILE HASHES | |
| 22 | cancel_sub_M0272029458353238.xlsb | |
| 23 | f5ce1af32099da1ca924e098b5d1c5d0 | |
| 24 | ||
| 25 | CAMPO LOADER FILE HASHES | |
| 26 | 6123.xlsb | |
| 27 | dc1aa65f8e0c02a05e23ca4d4ce1a32e | |
| 28 | ||
| 29 | 6123.xsd | |
| 30 | dc1aa65f8e0c02a05e23ca4d4ce1a32e | |
| 31 | ||
| 32 | 6123.xdo | |
| 33 | 0377cf2c20658c5e78d53a17cd4a109f | |
| 34 | ||
| 35 | CAMPOLOADER URLS | |
| 36 | http://out2.xyz/campo/o/u | |
| 37 | ||
| 38 | BAZARLOADER PAYLOAD URLS | |
| 39 | http://admin.nfooz.com/ster.exe | |
| 40 | ||
| 41 | BAZARLOADER FILE HASH | |
| 42 | ster.exe | |
| 43 | 5cef87c65c9a2545eb8c9151a5fa1e1d | |
| 44 | ||
| 45 | Later renamed to: | |
| 46 | vyue.exe | |
| 47 | 5cef87c65c9a2545eb8c9151a5fa1e1d | |
| 48 | ||
| 49 | BAZARLOADER C2s | |
| 50 | https://18.237.242.195/g1_262/bt_64_g1_262 | |
| 51 | https://34.215.31.225/g1_262/bt_64_g1_262 | |
| 52 | https://194.5.249.224/g1_262/bt_64_g1_262 | |
| 53 | ||
| 54 | Then later: | |
| 55 | https://45.142.158.76/g1_262/bt_64_g1_262 | |
| 56 | ||
| 57 | INTERESTING MEMORY STRING | |
| 58 | C:/Users/Admin/source/repos/bld1/bin/x64/Debug/ld1.exe | |
| 59 | ||
| 60 | SUPPORTING EVIDENCE | |
| 61 | https://urlhaus.abuse.ch/url/1201580/ | |
| 62 | ||
| 63 |
