2021-08-09-BazarLoader-and-Cobalt-Strike-IOCs.txt

2021-08-09 (MONDAY) - STOLEN IMAGES EVICENCE.ZIP --> BAZARLOADER --> COBALT STRIKE

REFERENCE:

- https://twitter.com/Unit42_Intel/status/1424829355704922114

CHAIN OF EVENTS:

- Email --> Link --> Stolen Images Evidence.zip --> Stolen Images Evidence.js --> BazarLoader DLL --> Bazar C2 traffic --> Cobalt Strike

ASSOCIATED MALWARE:

- SHA256 hash: a0b802b97f4fcdac9f0b4ae27a3623f353890fa4dd8de47aceb82d7612be95da
- File size: 7,077 bytes
- File name: Stolen Images Evidence.zip
- File description: 

- SHA256 hash: 4dae02681b1017f1812bcb4d2a76287b1f4f3c1875ffbd17a8fc0a8b63841a00
- File size: 20,031 bytes
- File name: Stolen Images Evidence.js
- File description: 

- SHA256 hash: 2bd7a2153ce51e2a0e9b1f197c51ee7eab05f5bb46fbaffe53294d18be89969b
- File size: 989,194 bytes
- File location: hxxp://vagenor[.]space/333g100/main.php
- File location: C:\Users\[username]\AppData\Local\Temp\RyqXLe.dat
- File description: Malware DLL for BazarLoader (BazaLoader)
- Run method: rundll32.exe [filename],StartW

- SHA256 hash: 6eccc2f0b5fb42a7b59881acdef621cc086d6ab76dfd80e5a3b3542590197805
- File size: 475,648 bytes
- File location: C:\Users\[username]\AppData\Local\Temp\E5A2.dll
- File description: Malware DLL for Cobalt Strike
- Run method: rundll32.exe [filename],Entrypoint


TRAFFIC GENERATED BY EXTRACTED .JS FOR BAZARLOADER DLL:

- 172.67.128[.]34 port 80 - hxxp://vagenor[.]space/333g100/index.php
- 172.67.128[.]34 port 80 - hxxp://vagenor[.]space/333g100/main.php

BAZAR C2 TRAFFIC:

- hxxps://161.35.144[.]15/issue/web
- hxxps://161.35.152[.]48/issue/web

COBALT STRIKE TRAFFIC:

- 23.82.19[.]173 port 443 - yuxicu[.]com - HTTPS traffic
- 23.106.215[.]61 port 443 - gojihu[.]com - HTTPS traffic