2021-07-30 BazarLoader IOCs

1. THREAT ATTRIBUTION: BAZARLOADER
2.  
3. SUBJECTS OBSERVED
4. Contact Submission
5.  
6. SENDERS OBSERVED
7. Christina <[email protected]>
8. [email protected]
9.  
10. EMAIL BODY
11. name: Donna
12. email: [email protected]
13. message: Hello! My name is Donna. Your website or a website that your
14. organization hosts is infringing on a copyright protected images owned
15. by me personally. Check out this official document with the hyperlinks
16. to my images you used at www.<redacted>.com and my previous publications
17. to obtain the evidence of my copyrights. Download it now and check
18. this out for yourself:
19. https://firebasestorage.googleapis.com/v0/b/files-d6e6c.appspot.com/o/download-3dk3nvbv4ju3n.html?alt=media&token=0471b204-69d8-4a6c-914a-31a622163a92&l=157298857286671654
20. I believe that you intentionally violated my rights under 17 U.S.C.
21. Section 101 et seq. and could possibly be liable for statutory damages
22. of up to $120,000 as set-forth in Sec. 504 (c) (2) of the Digital
23. millennium copyright act (DMCA) therein. This letter is official
24. notice. I demand the removal of the infringing materials described
25. above. Please take note as a service provider, the DMCA demands you,
26. to remove and/or terminate access to the infringing materials upon
27. receipt of this letter. In case you don't cease the use of the
28. previously mentioned infringing content a legal action will likely be
29. initiated against you. I do have a strong belief that use of the
30. copyrighted materials mentioned above as presumably infringing is not
31. permitted by the copyright owner, its agent, or the legislation. I
32. declare, under penalty of perjury, that the information in this
33. message is correct and that I am the copyright proprietor or am
34. authorized to act on behalf of the owner of an exclusive and legal
35. right that is presumably violated. Regards, Donna Arnold 07/30/2021
36.  
37. MALDOC DOWNLOAD URLS
38. https://firebasestorage.googleapis.com/v0/b/files-d6e6c.appspot.com/o/download-3dk3nvbv4ju3n.html?alt=media&token=0471b204-69d8-4a6c-914a-31a622163a92&l=157298857286671654
39.  
40. MALDOC FILE NAMES
41. Stolen Images Evidence.zip
42. 2200c6bfbc4489effc47106b99f070f5
43.  
44. MALDOC FILE HASHES
45. Stolen Images Evidence.js
46. 989573ea161dfc6b6a9246c4811a0207
47.  
48. BAZARLOADER PAYLOAD DOWNLOAD URLS
49. http://moigoran.space/222g100/index.php
50. http://moigoran.space/222g100/main.php
51.  
52. BAZARLOADER PAYLOAD FILE HASHES
53. (They're both .dll files)
54. JGkFDlBp.dat
55. cef50486fe3ecb76d2f85c711fa58d62
56.  
57. Another run, it was this:
58. ScCfJb.dat
59. fb4b64bc12dd252a80eb28706bd33596
60.  
61. BAZARLOADER C2
62. https://18.237.101.6/insect/bee
63. https://18.144.168.38/insect/bee
64.  
65. PDB PATH FOUND IN MEMORY
66. (from lsass.exe process)
67. D:\projects\source\repos\7\bd7 v2\Bin\x64\Release_nologs\bd7_x64_release_nologs.pdb
68.  
69.