2021-11-24 (WEDNESDAY) - "GIGI" CAMPAIGN PUSHES BAZARLOADER, LEADS TO ICEDID

ASSOCIATED FILES:

• 2021-11-24-IOCS-for-Gigi-BazarLoader-and-IcedID.txt.zip   2.1 kB   (2,069 bytes)
• 2021-11-24-Gigi-BazarLoader-with-IcedID.pcap.zip   10.2 MB   (10,178,589 bytes)
• 2021-11-24-Gigi-BazarLoader-and-IcedID-malware-and-artifacts.zip   2.7 MB   (2,743,689 bytes)

NOTES:

• All zip archives on this site are password-protected.  If you don't know the password, see the "about" page of this website.

 

IMAGES

Shown above:  Screenshot from an email from this campaign.

 

Shown above:  Link in the email led to a OneDrive URL hosting malware.

 

Shown above:  Use password from the email to access and open the VBS file.

 

Shown above:  The VBS file eventually dropped BazarLoader DLL with .mpeg file extension.

 

Shown above:  Process Hacker showed "gigi" as entrypoint for BazarLoader DLL.

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Click here to return to the main page.