-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Created 2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt
- Loading branch information
1 parent
f910147
commit 17fd5c1
Showing
1 changed file
with
50 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| 2021-08-09 (MONDAY) - STOLEN IMAGES EVICENCE.ZIP --> BAZARLOADER --> COBALT STRIKE | ||
|
|
||
| REFERENCE: | ||
|
|
||
| - https://twitter.com/Unit42_Intel/status/1424829355704922114 | ||
|
|
||
| CHAIN OF EVENTS: | ||
|
|
||
| - Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> Cobalt Strike | ||
|
|
||
| ASSOCIATED MALWARE: | ||
|
|
||
| - SHA256 hash: a0b802b97f4fcdac9f0b4ae27a3623f353890fa4dd8de47aceb82d7612be95da | ||
| - File size: 7,077 bytes | ||
| - File name: Stolen Images Evidence.zip | ||
| - File description: | ||
|
|
||
| - SHA256 hash: 4dae02681b1017f1812bcb4d2a76287b1f4f3c1875ffbd17a8fc0a8b63841a00 | ||
| - File size: 20,031 bytes | ||
| - File name: Stolen Images Evidence.js | ||
| - File description: | ||
|
|
||
| - SHA256 hash: 2bd7a2153ce51e2a0e9b1f197c51ee7eab05f5bb46fbaffe53294d18be89969b | ||
| - File size: 989,194 bytes | ||
| - File location: hxxp://vagenor[.]space/333g100/main.php | ||
| - File location: C:\Users\[username]\AppData\Local\Temp\RyqXLe.dat | ||
| - File description: Malware DLL for BazarLoader (BazaLoader) | ||
| - Run method: rundll32.exe [filename],StartW | ||
|
|
||
| - SHA256 hash: 6eccc2f0b5fb42a7b59881acdef621cc086d6ab76dfd80e5a3b3542590197805 | ||
| - File size: 475,648 bytes | ||
| - File location: C:\Users\[username]\AppData\Local\Temp\E5A2.dll | ||
| - File description: Malware DLL for Cobalt Strike | ||
| - Run method: rundll32.exe [filename],Entrypoint | ||
|
|
||
|
|
||
| TRAFFIC GENERATED BY EXTRACTED .JS FOR BAZARLOADER DLL: | ||
|
|
||
| - 172.67.128[.]34 port 80 - hxxp://vagenor[.]space/333g100/index.php | ||
| - 172.67.128[.]34 port 80 - hxxp://vagenor[.]space/333g100/main.php | ||
|
|
||
| BAZAR C2 TRAFFIC: | ||
|
|
||
| - hxxps://161.35.144[.]15/issue/web | ||
| - hxxps://161.35.152[.]48/issue/web | ||
|
|
||
| COBALT STRIKE TRAFFIC: | ||
|
|
||
| - 23.82.19[.]173 port 443 - yuxicu[.]com - HTTPS traffic | ||
| - 23.106.215[.]61 port 443 - gojihu[.]com - HTTPS traffic |