Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER
- SENDERS OBSERVED
- N/A
- SUBJECTS OBSERVED
- N/A
- LURE PHONE NUMBER
- UNKNOWN
- MALDOC LANDING PAGE URLS
- https://bomovie.net/
- https://bomovie.net/FAQ
- https://bomovie.net/subscribe
- https://bomovie.net/account
- MALDOC DOWNLOAD URLS
- https://bomovie.net/cancel.php
- MALDOC (XLSB) FILE HASHES
- cancel_sub_M0272029458353238.xlsb
- f5ce1af32099da1ca924e098b5d1c5d0
- CAMPO LOADER FILE HASHES
- 6123.xlsb
- dc1aa65f8e0c02a05e23ca4d4ce1a32e
- 6123.xsd
- dc1aa65f8e0c02a05e23ca4d4ce1a32e
- 6123.xdo
- 0377cf2c20658c5e78d53a17cd4a109f
- CAMPOLOADER URLS
- http://out2.xyz/campo/o/u
- BAZARLOADER PAYLOAD URLS
- http://admin.nfooz.com/ster.exe
- BAZARLOADER FILE HASH
- ster.exe
- 5cef87c65c9a2545eb8c9151a5fa1e1d
- Later renamed to:
- vyue.exe
- 5cef87c65c9a2545eb8c9151a5fa1e1d
- BAZARLOADER C2s
- https://18.237.242.195/g1_262/bt_64_g1_262
- https://34.215.31.225/g1_262/bt_64_g1_262
- https://194.5.249.224/g1_262/bt_64_g1_262
- Then later:
- https://45.142.158.76/g1_262/bt_64_g1_262
- INTERESTING MEMORY STRING
- C:/Users/Admin/source/repos/bld1/bin/x64/Debug/ld1.exe
- SUPPORTING EVIDENCE
- https://urlhaus.abuse.ch/url/1201580/
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement