bazarloader | b48cccd1b5e13f4a531366737c742ebe4c0f9921da9170313f29591a824801b4 | Triage

Submit
Reports

Overview

overview

Static

static

8

subscripti...3.xlsb

windows7_x64

subscripti...3.xlsb

windows10_x64

Sharing

General

Target

subscription_1617291613.xlsb.zip
Size

207KB
Sample

210401-jr1gbbrtka
MD5

d17a864c52f823e918109a6b6a457b23
SHA1

0f4e5cd05dbaeccbf09f66cd8e6949299c4ad464
SHA256

b48cccd1b5e13f4a531366737c742ebe4c0f9921da9170313f29591a824801b4
SHA512

0c477a3ed66b10f2373459fe327c6ba260ce55cda52c21b411f40b05b4a80d4e0b292e12ab6c2480da8c7fd7503f26352831bbf286310a8ceb4ea66d4e43afa6

Score

10^/10

bazarloader nloader dropper loader macro persistence xlm

Static task

static1

Behavioral task

behavioral1

Sample

subscription_1617291613.xlsb

Resource

win7v20201028

bazarloader nloader dropper loader persistence

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

subscription_1617291613.xlsb

Resource

win10v20201028

bazarloader nloader dropper loader persistence

windows10_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

xlm4.0

Source

Targets

- Target
  
  subscription_1617291613.xlsb
- Size
  
  228KB
- MD5
  
  8a3364bafa63166394862068b05f5469
- SHA1
  
  b039cb7a479cf118d53c61e113ad74015caadd22
- SHA256
  
  3d0b681046147d8008b70bab97c41e3a21a283559874ac2ce0c518b6965312da
- SHA512
  
  27c70c7fd278222a17112c0e3deb16a84f36f080a6fd933d51c4cc73392654414991ae0ba99e9760008c40a865572380c03a3b3af9297cb1a3678c630ca18111
Score

10^/10

bazarloader nloader dropper loader persistence
- Bazar Loader
  Detected loader normally used to deploy BazarBackdoor malware.
  loader dropper bazarloader
- Nloader
  Simple loader that includes the keyword 'cambo' in the URL used to download other families.
  loader nloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Bazar/Team9 Loader payload
- Nloader Payload
- Blocklisted process makes network request
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Remote System Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

bazarloadernloaderdropperloaderpersistence

behavioral2

bazarloadernloaderdropperloaderpersistence

© 2018-2024

Terms | Privacy