Overview

overview

10

Static

static

8

subscripti...6.xlsb

windows7_x64

10

subscripti...6.xlsb

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    subscription_1616715716.xlsb.zip

  • Size

    317KB

  • Sample

    210326-7p94vykgmj

  • MD5

    3fc34f57d1dd20e462807e9eda81345e

  • SHA1

    4b925a783c9d3f1d1ff957687c736638bceab87b

  • SHA256

    dcb029418fd909a3ff32dce12580d4f09a1e49367b6295032b2fc9d94c3e4de4

  • SHA512

    f7e628d7ce220b02feb5ae11558d7e1dcdddc00973d0965ce80e08145f951dfcecd179677f2410a192cf1e5709c2d0f27abf9ffe9c1527ef230fb35712f0c01b

Score
10/10
bazarloadernloaderdropperloadermacroupxxlm

Malware Config

Extracted

Language
xlm4.0
Source

Targets

    • Target

      subscription_1616715716.xlsb

    • Size

      332KB

    • MD5

      936d33258805f8e1e8007ebfceb21265

    • SHA1

      681415fd8d98c576b6c142910735dd7547e33efc

    • SHA256

      9b04a00b4d03c84705efdee3a1d6290894de48ead187eb5c7a43b46eb51e531c

    • SHA512

      b84b3f5ea939f01c3aad509d459ace81f7b8bbf2751859ea5d6e6bfa8aa1d6bb94e738af48f562e269b1a8c8fe81a056d14eb107570084cae2f93b5dd908427f

    Score
    10/10
    bazarloadernloaderdropperloaderupx

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

      loaderdropperbazarloader

    • Nloader

      Simple loader that includes the keyword 'cambo' in the URL used to download other families.

      loadernloader

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Bazar/Team9 Loader payload

    • Nloader Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Loads dropped DLL

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks