2021-07-21 BazarLoader IOCs

1. THREAT IDENTIFICATION: BAZARLOADER
2.  
3. SUBJECTS OBSERVED
4. Contact Submission
5.  
6. SENDERS OBSERVED
7. [email protected]
8.  
9. EMAIL BODY
10. name: Christina
11. email: [email protected]
12. message: Hello there! My name is Christina. Your website or a website
13. that your company hosts is violating the copyright protected images
14. owned by myself. Check out this document with the hyperlinks to my
15. images you used at www.<redacted>.com and my previous publications to find
16. the evidence of my copyrights. Download it right now and check this
17. out for yourself:
18. https://firebasestorage.googleapis.com/v0/b/files-d6e6c.appspot.com/o/download-dk3kvbbqk2.html?alt=media&token=e9774a52-79aa-4b10-9863-67a63a9e1087&l=235887401976653861
19.  
20. I really believe you have intentionally violated my legal rights under
21. 17 USC Sec. 101 et seq. and could possibly be liable for statutory
22. damages as high as $150,000 as set-forth in Section 504 (c)(2) of the
23. Digital Millennium Copyright Act (DMCA) therein. This letter is
24. official notification. I demand the removal of the infringing
25. materials described above. Take note as a service provider, the Dmca
26. requires you, to remove and terminate access to the infringing content
27. upon receipt of this particular notification letter. In case you don't
28. stop the use of the previously mentioned infringing materials a
29. lawsuit can be started against you. I do have a good self-belief that
30. use of the copyrighted materials described above as presumably
31. infringing is not permitted by the legal copyright owner, its legal
32. agent, as well as law. I declare, under consequence of perjury, that
33. the information in this letter is accurate and that I am currently the
34. copyright proprietor or am authorized to act on behalf of the owner of
35. an exclusive right that is allegedly infringed. Regards, Christina
36. Morris 07/21/2021
37.  
38. MALDOC DOWNLOAD URLS
39. https://firebasestorage.googleapis.com/v0/b/files-d6e6c.appspot.com/o/download-dk3kvbbqk2.html?alt=media&token=e9774a52-79aa-4b10-9863-67a63a9e1087&l=235887401976653861
40.  
41. https://firebasestorage.googleapis.com/v0/b/files-d6e6c.appspot.com/o/download-dk3kvbbqk2.html?alt=media&token=e9774a52-79aa-4b10-9863-67a63a9e1087&data=04258728259875443
42.  
43. https://drive.google.com/uc?export=download&id=1WsuhRIiE37T19uuQkg_0z8lAarKmZyD1
44. https://drive.google.com/uc?export=download&id=18XdoojFcWJbV_sFG3jGeusXpExG0VS2C
45.  
46. MALDOC FILE NAMES
47. Stolen Images Evidence.zip
48. Stolen Images Evidence.js
49.  
50. MALDOC FILE HASHES
51. Stolen Images Evidence.zip
52. 372465bc30e35f6fd15a4b12a51ef988
53.  
54. Stolen Images Evidence.js
55. c6545c4a32834f0026b9d17ab3e9425e
56.  
57. BAZARLOADER PAYLOAD DOWNLOAD URLS
58. http://menoiras.space/222g100/index.php
59. http://menoiras.space/222g100/main.php
60.  
61. BAZARLOADER PAYLOAD FILE HASHES
62. yeWvzid.dat (it's a .dll)
63. 7441e18b28b78a1c9fb5323099ea1510
64.  
65. BAZARLOADER C2
66. https://3.223.192.20/union/low_item
67.  
68. DNS TRAFFIC (None resolved)
69. greencloud46a.bazar
70. whitestorm9p.bazar
71. yellowdownpour81.bazar
72.  
73. SUPPORTING EVIDENCE
74. https://app.any.run/tasks/44470730-363d-45a0-8ec3-291e3ee0cd93/
75.