API tools faq
paste
ExecuteMalware

2021-06-14 BazarCall IOCs

ExecuteMalware
Jun 14th, 2021
16,703
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 0.81 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER
  2.  
  3. SENDERS OBSERVED
  4. [email protected]
  5.  
  6. SUBJECTS OBSERVED
  7. Your free trial version ends very soon, VCP##############. Your membership will instantly renew itself.
  8.  
  9. LURE PHONE NUMBER
  10. UNKNOWN
  11.  
  12. MALDOC LANDING PAGE URLS
  13. https://vcophoto.us
  14.  
  15. MALDOC DOWNLOAD URLS
  16. https://vcophoto.us/cancel.php
  17.  
  18. MALDOC (XLSB) FILE HASHES
  19. cancel_sub_VCP##############.xlsb
  20. 1e9570436a3ad07088cdc6c2293ba4f2
  21.  
  22. BAZARLOADER PAYLOAD DOWNLOAD URLs
  23. First call is to:
  24. http://5.34.179.24
  25.  
  26. which does a 302 redirect to:
  27. http://f88p8ky5brej.xyz/xe1t23ym0s.php
  28.  
  29. BAZARLOADER FILE HASHES
  30. DqYuH.dll
  31. 806a2df1a437a063b7e167acca5c7b12
  32.  
  33. BAZARLOADER C2
  34. https://54.67.116.246/api/outgoing/connection
  35. https://34.209.29.159/army/hangar
  36.  
  37. SUPPORTING EVIDENCE
  38. https://tria.ge/210614-ba8qveeh8e
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!