General

  • Target

    Documents_111651917_375818984.xls

  • Size

    293KB

  • Sample

    210504-516qj2mh9e

  • MD5

    72526a505496a9b7da9a6c9651dbda5e

  • SHA1

    84cf963666314eee0d8ad1ef09e5462a66e3ccbf

  • SHA256

    3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681

  • SHA512

    ca1ac0057d9ede44a1d9ecf9f854140a39b9b626895c85f34fbf973b8ee749fa2fbd836bc882e9ca2fab7929a9aecb790d7e795ea55a32ce66d6ee1d078afe46

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://otusmail.com/b/vegas.dll

Targets

    • Target

      Documents_111651917_375818984.xls

    • Size

      293KB

    • MD5

      72526a505496a9b7da9a6c9651dbda5e

    • SHA1

      84cf963666314eee0d8ad1ef09e5462a66e3ccbf

    • SHA256

      3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681

    • SHA512

      ca1ac0057d9ede44a1d9ecf9f854140a39b9b626895c85f34fbf973b8ee749fa2fbd836bc882e9ca2fab7929a9aecb790d7e795ea55a32ce66d6ee1d078afe46

    Score
    10/10
    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks