2021-04-01 BazarCall IOCs

1. THREAT IDENTIFICATION: BAZARCALL
2.  
3. SENDER EMAILS
4. [email protected]
5. [email protected]
6. [email protected]
7. [email protected]
8.  
9. SUBJECTS
10. Do you want to extend your free trial ############?
11. Free period for ############ is almost over.
12. Your free period ############ is about to end!
13. Your free period ############ is almost over!
14. Your free period ############ is about to end!
15. Your free period ############ is almost over!
16. Your free trial ############ is about to end!
17. Your free trial period ############ is almost over!
18.  
19. LURE PHONE NUMBER
20. 1 (901) 584 0490
21. 1 (213) 401 9021
22.  
23. MALDOC LANDING PAGE DOMAINS
24. buyimers.us
25. geticart.us
26. getmers.us
27. gobcs.us
28. goimed.us
29.  
30. MALDOC DOWNLOAD URLS
31. https://getmerss.xyz/unsubscribe.html
32. https://goibcs.xyz/unsubscribe.html
33. https://getlcart.xyz/unsubscribe.html
34. https://igomed.xyz/unsubscribe.html
35. https://buylmers.xyz/unsubscribe.html
36.  
37. buylmers.xyz
38. geticart.xyz
39. getmerss.xyz
40. goibcs.xyz
41. igomed.xyz
42.  
43. MALDOC (XLSB) FILE HASHES
44. 11cc65a8c350b91de6ea341eaeefa3de
45. 8255c1e595a30ae5cb4f047423043c13
46. 91edbc51a4e25ca3354a82d229828c87
47. 9cb09ce52055479aae79ba3c6a3d21fd
48. f5d9155a56cdbdf8a421e5bf106915b2
49.  
50. PAYLOAD DOWNLOAD URLS
51. http://board3.xyz/campo/d/d1
52. http://board3.xyz/uploads/files/rldr.10.4.exe
53.  
54. PAYLOAD FILE HASHES
55. rldr.10.4.exe
56. 81e6dcf2510ffc2400743e912448013f
57.  
58. renamed to:
59. MRXBA3F.exe
60. 81e6dcf2510ffc2400743e912448013f
61.  
62. ADDITIONAL TRAFFIC
63. mRXBA3F.exe calls out to:
64. https://34.212.193.150
65.  
66. ADDITIONAL FILE HASHES FROM PAYLOAD DOMAIN
67. r104.exe
68. d2749c21fa8671e75cd147380ff110e0
69.  
70. ret4.exe
71. 9b224a8a1e6e5897e47fee0eb1e21766
72.  
73. 1616183460
74. 91ee2afefdf066eae3aead061a8075ed