API tools faq
paste
ExecuteMalware

2021-04-16 BazarCall IOCs

ExecuteMalware
Apr 16th, 2021
17,334
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.80 KB | None | 0 0
raw download clone embed print report
  1. THREAT IDENTIFICATION: BAZARCALL / BAZARLOADER
  2.  
  3. SENDER EMAILS
  4. [email protected]
  5. [email protected]
  6.  
  7. SUBJECTS
  8. 0413759791590. All set to go for a premium plan?
  9. 041505627734. Are you all set to prolong your premium plan?
  10.  
  11. LURE PHONE NUMBER
  12. +1 816 307 4271
  13.  
  14. MALDOC LANDING PAGE URLS
  15. https://ebookreading.us
  16. https://ebookstoread.us
  17. https://ebooktoread.us
  18. https://readebook.us
  19. https://readebooks.us
  20.  
  21. MALDOC DOWNLOAD URLS
  22. https://ebookreading.us/request.php
  23. https://ebookstoread.us/request.php
  24. https://ebooktoread.us/request.php
  25. https://readebook.us/request.php
  26. https://readebooks.us/request.php
  27.  
  28. MALDOC (XLSB) FILE HASHES
  29. 0b0a9695edb12b43c48bb564c6ca819d
  30. 0b98070db10ad43a4175ecebc163fe48
  31. 650080b98d356865a62d29411a33c742
  32. 88a8f60bc630f5967daa6835d76fd12c
  33. b2456eab6fd76b5c5f4b50aace21cc2b
  34. df8af4e4742c4cda12b3e93847fb6bfa
  35. ed50d662465daf24f8d738912dce6bdc
  36.  
  37. DROPPED CAMPOLOADER FILES
  38. Morning attempt
  39. ---------------
  40. 496258.doh
  41. 3e7d049a6c2b5fc2433efc26fbf7247e
  42.  
  43. 496258.xslb
  44. d4e23f09747b47be2f9540f4499c4085
  45.  
  46. 496258.dof
  47. d4e23f09747b47be2f9540f4499c4085
  48.  
  49. Afternoon attempt:
  50. ------------------
  51. 496258.xslb
  52. f7e72deaacfad01ce83511f7a0573d42
  53.  
  54. 496258.dof
  55. f7e72deaacfad01ce83511f7a0573d42
  56.  
  57. 496258.doh
  58. 95855134f3999425d0614e14e11ac0f8
  59.  
  60. BAZARLOADER PAYLOAD DOWNLOAD URLS
  61. https://keep2.xyz/campo/jl/jl7
  62. https://keep2.xyz/uploads/files/mraz.exe
  63.  
  64. BAZARLOADER PAYLOAD FILE HASH
  65. aklhg.exe (renamed from mraz.exe)
  66. 9454f2737270b5990173d234b98895a5
  67.  
  68. ADDITONAL TRAFFIC
  69. I saw traffic from mraz.exe to:
  70. https://52.26.179.239
  71.  
  72. I saw traffic from cmd.exe to:
  73. https://3.101.152.145
  74.  
  75. SUPPORTING EVIDENCE
  76. https://urlhaus.abuse.ch/browse.php?search=9454f2737270b5990173d234b98895a5
  77. https://www.virustotal.com/gui/file/4dc24a8bc92ce652fe90d90cfa7e1a9b4758955c79789daae6db825cbd1950a8/detection
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!