Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER
- SENDERS OBSERVED
- knoxrackersxtv@mail.com
- SUBJECTS OBSERVED
- Your free trial version ends very soon, VCP##############. Your membership will instantly renew itself.
- LURE PHONE NUMBER
- UNKNOWN
- MALDOC LANDING PAGE URLS
- https://vcophoto.us
- MALDOC DOWNLOAD URLS
- https://vcophoto.us/cancel.php
- MALDOC (XLSB) FILE HASHES
- cancel_sub_VCP##############.xlsb
- 1e9570436a3ad07088cdc6c2293ba4f2
- BAZARLOADER PAYLOAD DOWNLOAD URLs
- First call is to:
- http://5.34.179.24
- which does a 302 redirect to:
- http://f88p8ky5brej.xyz/xe1t23ym0s.php
- BAZARLOADER FILE HASHES
- DqYuH.dll
- 806a2df1a437a063b7e167acca5c7b12
- BAZARLOADER C2
- https://54.67.116.246/api/outgoing/connection
- https://34.209.29.159/army/hangar
- SUPPORTING EVIDENCE
- https://tria.ge/210614-ba8qveeh8e
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement