2021-05-05 BazarCall IOCs

1. THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER
2.  
3. SENDERS OBSERVED
4. [email protected]
5.  
6. SUBJECTS OBSERVED
7. Trial stage is now over! Your account #M027202########## is going to be automatically moved to premium plan!
8.  
9. LURE PHONE NUMBER
10. 1 313 725 9061
11.  
12. MALDOC LANDING PAGE URLS
13. https://urbancinema.net/
14. https://urbancinema.net/FAQ
15. https://urbancinema.net/subscribe
16.  
17. MALDOC DOWNLOAD URLS
18. https://urbancinema.net/cancel.php
19.  
20. MALDOC (XLSB) FILE HASHES
21. cancel_sub_M0272029458353238.xlsb
22. d132745d903704af5360b31fadbb7025
23.  
24. Evening run:
25. cancel_sub_M0272029458353238.xlsb
26. 7ce50dd5f5f82e6c0c8d236039c57b5c
27.  
28. CAMPO LOADER DOWNLOAD URLS
29. http://noise1.xyz/campo/n/s
30. http://noise1.xyz/campo/n/o
31.  
32. CAMPO LOADER FILES
33. 6123.xlsb
34. 08553ef3887f32d0141463ccab705f03
35.  
36. 6123.xsd
37. 08553ef3887f32d0141463ccab705f03
38.  
39. 6123.xdo
40. d20868a33c24969ea9802cae5ebce0db
41.  
42. BAZARLOADER PAYLOAD FILE HASH
43. http://noise1.xyz/uploads/files/rest.exe
44.  
45. BAZARLOADER FILE HASH
46. rest.exe
47. 96764a0a62e66a147a3d4db0e59a6e34
48.  
49. renamed to:
50. 6087.exe
51.  
52. Later run, renamed to:
53. euygj.exe
54.  
55. BAZARLOADER C2s
56. https://18.237.242.195/g1_262/bt_64_g1_262
57.  
58. SUPPORTING EVIDENCE
59. https://urlhaus.abuse.ch/url/1197419/