subscription_1617291613.xlsb.zip

General
Target

subscription_1617291613.xlsb.zip

Size

207KB

Sample

210401-jr1gbbrtka

Score
10 /10
MD5

d17a864c52f823e918109a6b6a457b23

SHA1

0f4e5cd05dbaeccbf09f66cd8e6949299c4ad464

SHA256

b48cccd1b5e13f4a531366737c742ebe4c0f9921da9170313f29591a824801b4

SHA512

0c477a3ed66b10f2373459fe327c6ba260ce55cda52c21b411f40b05b4a80d4e0b292e12ab6c2480da8c7fd7503f26352831bbf286310a8ceb4ea66d4e43afa6

Malware Config

Extracted

Language xlm4.0
Source
Targets
Target

subscription_1617291613.xlsb

MD5

8a3364bafa63166394862068b05f5469

Filesize

228KB

Score
10 /10
SHA1

b039cb7a479cf118d53c61e113ad74015caadd22

SHA256

3d0b681046147d8008b70bab97c41e3a21a283559874ac2ce0c518b6965312da

SHA512

27c70c7fd278222a17112c0e3deb16a84f36f080a6fd933d51c4cc73392654414991ae0ba99e9760008c40a865572380c03a3b3af9297cb1a3678c630ca18111

Tags

Signatures

  • Bazar Loader

    Description

    Detected loader normally used to deploy BazarBackdoor malware.

    Tags

  • Nloader

    Description

    Simple loader that includes the keyword 'cambo' in the URL used to download other families.

    Tags

  • Process spawned unexpected child process

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

  • Bazar/Team9 Loader payload

  • Nloader Payload

  • Blocklisted process makes network request

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation