General

  • Target

    subscription_1617291613.xlsb.zip

  • Size

    207KB

  • Sample

    210401-jr1gbbrtka

  • MD5

    d17a864c52f823e918109a6b6a457b23

  • SHA1

    0f4e5cd05dbaeccbf09f66cd8e6949299c4ad464

  • SHA256

    b48cccd1b5e13f4a531366737c742ebe4c0f9921da9170313f29591a824801b4

  • SHA512

    0c477a3ed66b10f2373459fe327c6ba260ce55cda52c21b411f40b05b4a80d4e0b292e12ab6c2480da8c7fd7503f26352831bbf286310a8ceb4ea66d4e43afa6

Malware Config

Extracted

Language xlm4.0
Source

Targets

    • Target

      subscription_1617291613.xlsb

    • Size

      228KB

    • MD5

      8a3364bafa63166394862068b05f5469

    • SHA1

      b039cb7a479cf118d53c61e113ad74015caadd22

    • SHA256

      3d0b681046147d8008b70bab97c41e3a21a283559874ac2ce0c518b6965312da

    • SHA512

      27c70c7fd278222a17112c0e3deb16a84f36f080a6fd933d51c4cc73392654414991ae0ba99e9760008c40a865572380c03a3b3af9297cb1a3678c630ca18111

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • Nloader

      Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Bazar/Team9 Loader payload

    • Nloader Payload

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Matrix

Collection

    Command and Control

      Credential Access

        Defense Evasion

        Execution

          Exfiltration

            Impact

              Initial Access

                Lateral Movement

                  Privilege Escalation