Request a Demo
Rewterz
Rewterz Threat Alert – MasterFred Banking Trojan – Active IOCs
November 25, 2021
Rewterz
Microsoft MSHTML bug Exploited for Credential Theft – Active IoCs
November 25, 2021

Rewterz Threat Alert – BazarLoader Malware – Active IOCs

Severity

Medium

Analysis Summary

The BazarLoader malware is a small backdoor (a TrickBot adjacent malware) to an infected victim Windows host. BazarLoader currently uses a BazarCall method that infects the victim’s system and provides cybercriminals with backdoors that can be used in the future to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.

Researchers have reported the latest method used by threat actors to spread the malware; the call-center-based bazarLoader distribution method utilizes emails with a trial subscription-based theme that encourages potential victims to call a phone number. The victim is hoodwinked into thinking that they have subscribed to a service they didn’t sign up for and are directed to call a certain number for help. The call center operator directs the victim into downloading an infected excel sheet that is installed upon unsubscribing from the service.

Impact

  • Data Exfiltration

Indicators of Compromise

IP

  • 167[.]172[.]37[.]20
  • 207[.]154[.]236[.]187
  • 64[.]225[.]71[.]198
  • 167[.]172[.]37[.]33
  • 167[.]172[.]37[.]20
  • 104[.]248[.]164[.]94
  • 104[.]248[.]170[.]50
  • 207[.]154[.]236[.]187
  • 139[.]28[.]235[.]249
  • 172[.]83[.]155[.]231
  • 94[.]140[.]112[.]22
  • 207[.]154[.]244[.]115
  • 194[.]15[.]113[.]148
  • 139[.]28[.]235[.]249
  • 207[.]154[.]236[.]187
  • 94[.]140[.]112[.]22
  • 139[.]28[.]235[.]249

MD5

  • 261541358c04b63dd39f0a65528775bb
  • 47933f87a08b2dc9c415433ac4ab4f04
  • 458228b460f972d7935723acad55f9ba
  • d05a2463b37e487fd04b44a547cef5a6
  • cf06c224eef30aed8b44e419928e2d6c
  • 730ca73a23dd70b2edf3712e4d03db1c
  • db8f42a798dd65d9bd8398c3e2564f06
  • 04861b49fb21fea57ab9bba57b5e5ac6
  • 7f3bcbb3e8080ac75f7bba326a23c54f
  • 4932b7fa81a500c5050ccf3a945077e3
  • c07251738742f5a6f63bf9302afef471
  • 7f3bcbb3e8080ac75f7bba326a23c54f
  • 4932b7fa81a500c5050ccf3a945077e3
  • c07251738742f5a6f63bf9302afef471
  • 96f60230308da02083c037b42a625e63
  • c087889bd712b71c824560d1cf526be6
  • 72cbfbfb9fb6e673051e938fb31ca987
  • 4ea59f580d5a3398b7aca61e53e710bc

SHA-256

  • 6d5ebe8069122e1b470169e0b1545f3c6196259ed2e94e5a242be3209f92cdea
  • 807c8c2c02fd1c0f567bbbe14e24484ff0871d83130464c8376e8382e563d1cb
  • 50561167909de0e777c5d81ef72d0981b996fe46df881ab34b9b106aabbe7560
  • 247a013ddfa6a8b23294e5f58d57e230b562939421e51b5560c77ea805e2cbf7
  • 4ee75b010820c4577ba02757b575e63736470bc014aa79ee53311b42dd51e464
  • bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
  • 59b77f3b8d2e7d72c61d522a2bcabbe0b47be3b73e1a4001cb763589a656134c
  • 6d0801c0ad5c7c7b194502d932a7cde2ab51d13d40f62c77f9e4e00524f641d1
  • 3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
  • 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
  • cd8c23863bd9a51ae9c135182a9a6af14408b4ad8f0bac3d58c4ed473c8589c2
  • 3bc6fc23cef261ac74aa5b98d0c3ec9a4fb1ef3f6b850334d4df698a5fe1ec04
  • 5622189598fae2814a0f6a73a1d746c99777e1ec90e9b5bda156f15a6bfc2832
  • cd8c23863bd9a51ae9c135182a9a6af14408b4ad8f0bac3d58c4ed473c8589c2
  • 960a111f4ea6624b2e145d8145f80348a9a2c5812efd68539a67a8586b3baca6
  • 0f7904774e867127614e885913f986c278233ab2d8a7cd56f1ee171198a4b6a4
  • 7285b66243283537da1f1883bfd1e9781815e2789e2cfe876052b56dc74cf6cd
  • ff4aba383a3683fc702707c1cd2bfe9387a0ffe6c4ce68d085532bcd02ed6a2d

SHA-1

  • c09a707522794b92966c380e1e62a03724f8b36d
  • d6ff3d8b0a0729c651c8318d3fa470d90cc0c8ab
  • 4ab23bbfa840acba573f2e585bbed01257e2aae3
  • 3613f783cdf52c08dfb46f20c3f2a07521d9d5e0
  • 88a34ba4122a17c43f596313faa38a67142fc259
  • 48d8ff863d43bde2614ae387841135d1b33e66da
  • 7df618ca8e5e21faf19ece8c2470f62af8e4ea15
  • cb429369607174d464edf5447e7edbc0a8157e9b
  • e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
  • 13d7cf3a826274183d761bc4bcd16e68c069e14b
  • ab0f41cd9bbf8930c7f37e0735e651aadaeafe0c
  • e2cf8adac9d9860db7fff35dc0d9c94807b0f2dd
  • 13d7cf3a826274183d761bc4bcd16e68c069e14b
  • ab0f41cd9bbf8930c7f37e0735e651aadaeafe0c
  • f932dbe08924909fbc81f835e4fe85d27d33abb7
  • 9d00dc27f6b2932ec225cebd709120fa6414ef5f
  • a9a68add226e1565eb73cd4309a5e32728af56df
  • 384373fbe321322afb7682350cedf8089d38c756

URL

  • http[:]//167[.]172[.]37[.]20/part/issue/invoke
  • http[:]//207[.]154[.]236[.]187/out/rolling/issue/invoke
  • http[:]//64[.]225[.]71[.]198/main/issue/invoke
  • http[:]//167[.]172[.]37[.]33/main/issue/invoke
  • http[:]//167[.]172[.]37[.]20/main/issue/invoke
  • http[:]//104[.]248[.]164[.]94/minor/issue/invoke
  • http[:]//207[.]154[.]236[.]187/out/major/issue/invoke
  • http[:]//104[.]248[.]175[.]208/minor/issue/invoke
  • http[:]//207[.]154[.]229[.]94/out/major/issue/invoke
  • http[:]//94[.]140[.]112[.]22/out/major/issue/invoke
  • http[:]//139[.]28[.]235[.]249/out/major/issue/invoke
  • http[:]//172[.]83[.]155[.]231/out/major/issue/invoke
  • http[:]//94[.]140[.]112[.]22/out/stable/issue/invoke
  • http[:]//207[.]154[.]244[.]115/out/major/issue/invoke
  • http[:]//194[.]15[.]113[.]148/out/major/issue/invoke
  • http[:]//139[.]28[.]235[.]249/out/stable/issue/invoke
  • http[:]//207[.]154[.]236[.]187/out/stable/issue/invoke
  • http[:]//207[.]154[.]244[.]115/out/stable/issue/invoke
  • http[:]//94[.]140[.]112[.]22/out/minor/issue/invoke
  • http[:]//207[.]154[.]244[.]115/out/minor/issue/invoke
  • http[:]//207[.]154[.]236[.]187/out/minor/issue/invoke
  • http[:]//94[.]140[.]112[.]9/out/stable/issue/invoke
  • http[:]//54[.]212[.]208[.]226/api/get/output/text
  • http[:]//167[.]99[.]240[.]197/web/main/job/run
  • http[:]//194[.]15[.]113[.]148/web/main/job/run

Remediation

  • Block all threat indicators at your respecitive controls.
  • Keep Windows up-to-date.
  • Keep an eye out for malicious emails and upgrade spam properties in email applications.
  • Never download files from malicious websites.