2021-06-15 BazarCall IOCs

1. THREAT ATTRIBUTION: BAZARCALL / BAZARLOADER
2.  
3. SENDERS OBSERVED
4. Joerg.brauch@web.de
5. mallory.86money@yahoo.com
6. MaryjaneViel1984@mail.com
7. RosamondGalapon@usa.com
8. sophiajwn@mail.com
9.  
10. SUBJECTS OBSERVED
11. FWD: Automated premium subscription update notice VC7############## 🤗
12. Your free trial version ends soon, VC7############## . Your premium plan will immediately renew itself.
13. Your free trial version will expire soon, VC7############## . Your membership will immediately re-new itself.
14. Your trial offer will expire really soon, VC7############## . Your premium plan will instantly renew itself.
15. Your trial offer will expire soon, VC7############## . Your premium will immediately renew itself.
16.  
17. LURE PHONE NUMBER
18. +1 213 401 2706
19.  
20. MALDOC LANDING PAGE URLS
21. https://zonerphotos.com/
22.  
23. MALDOC DOWNLOAD URLS
24. https://zonerphotos.com/cancel.php
25.  
26. MALDOC (XLSB) FILE HASHES
27. cancel_sub_VC7##############.xlsb
28. 94e15e803bee24cb13ed11498d3abb9d
29.  
30. BAZARLOADER PAYLOAD DOWNLOAD URLs
31. First call is to:
32. http://195.123.222.109/
33.  
34. which does a 302 redirect to:
35. http://th4c910ma9puls.xyz/xe1t23ym0s.php
36.  
37. BAZARLOADER FILE HASHES
38. gz5oOdsKu.dll
39. a4d96695e894dd22feb7e3e3b0dd6887
40.  
41. BAZARLOADER C2
42. https://172.83.155.161/corp/sentinel