2021-03-29 BazarCall IOCs

1. THREAT IDENTIFICATION: BAZARCALL
2.  
3. NOTES:
4. I did not get a payload after the initial /campo/ url.
5. I saw failed DNS queries to 5 of the older web site domains
6. I did receive a few .exe files by manually visiting some newly found domains.
7.  
8. DNS QUERIES TO:
9. imerservice.net
10. merservice.org
11. icartservice.org
12. imedservice.org
13. icartservice.app
14.  
15. All returned "Server Failure"
16.  
17. SENDER EMAILS
18. icart@icart.com
19. inf@icartservice.com
20. info@icartservice.com
21. it@icartservice.com
22. service@icartservice.com
23. site@icartservice.com
24.  
25. SUBJECTS
26. Do you want to extend your free period 032911349855?
27. Do you want to extend your free period 032971082739?
28. Do you want to extend your free period 032992342492?
29. Do you want to extend your free trial 032914360334?
30. Do you want to extend your free trial 032929965053?
31. Do you want to extend your free trial 032960551023?
32. Thank you for using your free period 032911349855. Time to move on!
33. Thank you for using your free period 032959551266. Time to move on!
34. Thank you for using your free trial 032928460385. Time to move on!
35. Thank you for using your free trial 032942918497. Time to move on!
36. Thank you for using your free trial 032967802762. Time to move on!
37. Thank you for using your free trial 032983352838. Time to move on!
38. Your free period 032924713704 is almost over!
39. Your free period 032928460385 is about to be over!
40. Your free period 032931754105 is going to end!
41. Your free period 032937843104 is about to end!
42. Your free period 032942918497 is going to end!
43. Your free period 032943423209 is going to end!
44. Your free period 032945874491 is going to end!
45. Your free period 032959316990 is about to be over!
46. Your free period 032971082739 is about to end!
47. Your free period 032992342492 is about to be over!
48. Your free trial 032976172338 is going to end!
49. Your free trial 032990118057 is going to end!
50. Your free trial KMR59157203 is going to end!
51. Your free trial period 032901433429 is almost over!
52. Your free trial period 032926747691 is almost over!
53. Your free trial period 032991478849 is almost over!
54. Your free trial period 032995250960 is almost over!
55.  
56. LURE PHONE NUMBER
57. Not available
58.  
59. MALDOC DOWNLOAD URLS
60. https://buyimers.us/unsubscribe.html
61. https://geticart.us/unsubscribe.html
62. https://getmers.us/unsubscribe.html
63. https://gobcs.us/unsubscribe.html
64. https://goimed.us/unsubscribe.html
65.  
66. buyimers.us
67. geticart.us
68. getmers.us
69. gobcs.us
70. goimed.us
71.  
72. MALDOC FILE HASHES
73. 01e837d28214d80ebd2b296c396b44ed
74. 130893af30fcf98c0aa40aa046830aab
75. 53a5ee3ae476003221d1c8dbb66f9002
76. 53abb39593ba0a09f533b7c3be943095
77. 86304059c0a7afb48f2cf6adde54ba0f
78. 89ed9bbd3cc6ce767bdf1367ee7286d4
79. b7e521668beb98038c2cff9c6da9caa3
80. c73b781aeefa1ead369ed213578eba80
81. d27359706233d20207bc02e0a100bd42
82. dc2169f92205f6ed5e66fd475bb86b04
83. e6b545518ac11fc9b76182ce9ad120fa
84.  
85. PAYLOAD DOWNLOAD URLS
86. http://veso2.xyz/campo/r/r1
87.  
88.  
89. ADDITIONAL PAYLOAD DOMAINS
90. gobcss.xyz
91. buymers.xyz
92. golmed.xyz
93. gtmers.xyz
94. igetcart.xyz
95. q1x250gr0ln2icfa.xyz
96. q2jac2w68xl5r2z.xyz
97. q3w52umx3kaa3u.xyz
98.  
99. ADDITONAL PAYLOAD FILE HASHES
100. 1617039449.exe
101. 18a727ec5e32a9d13250578e93b3cc47
102.  
103. 1617039629.exe
104. 2caa8c254710493f9d82331899d0bf31
105.  
106. 1617039451.exe
107. 6535026f586eadf50f8f2d3dc8bab785
108.  
109.