API tools faq
paste
Advertisement
ExecuteMalware

2021-02-03 Bazar IOCs

ExecuteMalware
Feb 3rd, 2021
4,071
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.26 KB | None | 0 0
raw download clone embed print report
  1. THREAT ATTRIBUTION: BAZAR
  2.  
  3. ANALYST NOTES
  4. The email is designed to look like the recipient has made a purchase.
  5. The email has an attached PDF with details of the order.
  6. There's also a phone number that says to call them if "you want to change/drop the request".
  7. Interestingly, there are no links anywhere - not in the email nor in the PDF.
  8. PDF has a url that points to: compactssd[.]net but it's not a link - it's just a part of the "company's" address.
  9. Assuming that the recipient is curious about the company, they would have to copy and paste the url into a browser.
  10. The web page that loads is made to look like it's for the fake computer storage company from the PDF invoice.
  11. If this wasn't enough work for the curious user, it's still necessary to click on the FAQ section of the page.
  12. From there, you need to select: "What if I want to modify or cancel my order?".
  13. Enter any 8-digit number into the field and click Submit - user is redirected to: https://compactssd[.]xyz/
  14. Again, enter an 8-digit number into the field that reads: "The form could be downloaded here".
  15. This page indicates how one should click the "Enable Editing" button after opening the "form".
  16. Now, the user is finally rewarded with a malicious .xls file.
  17. Once the document is opened and macros enabled, a couple of files are downloaded and launched.
  18. I saw several DNS queries to .bazar domains.
  19.  
  20. SUBJECTS OBSERVED
  21. Thank you for your puchase! Order No AR706436044K.
  22. Thank you for your puchase! Order No AR754634466K.
  23.  
  24. SENDERS OBSERVED
  25. cesarfloriano@globo.com
  26. pastorantoniojose@ibest.com.br
  27.  
  28. BAZAR MALDOC FILE HASHES
  29. AR754634466K.pdf
  30. e7ed395f6e1e4750ebe274cb4467b3cd
  31.  
  32. request_form_1612377344.xls
  33. 8e543c7ec7705f7a58ed005cf1eb9d00
  34.  
  35. BAZAR PAYLOAD DOWNLOAD
  36. https://drmariepappas.com/dbmtyer/tigersoft.php
  37.  
  38. BAZAR PAYLOAD FILE HASHES
  39. SNC33EF.exe
  40. 956dcc12611197db4abd99491df677df
  41.  
  42. n cjkcg.exe
  43. cf0d5763c33d632ebd27f765300eb6d4
  44.  
  45. BAZAR C2
  46. https://aeghikbeihin.bazar
  47. https://aeghkkbeihkn.bazar
  48. https://affiklbfhiko.bazar
  49. https://bcegkmccggkp.bazar
  50. https://bceikkccgikn.bazar
  51. https://bcfhikcchhin.bazar
  52. https://bcfijmcchijp.bazar
  53. https://begiklceiiko.bazar
  54. https://cegiikdeiiin.bazar
  55. https://cehgkldejgko.bazar
  56. https://cfhgjldfjgjo.bazar
  57. https://dfegjlefggjo.bazar
  58. https://efehilffghio.bazar
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!