Resubmissions

03-06-2021 10:37

210603-tks7epc9ka 10

01-06-2021 16:54

210601-fpxsgwd8p2 10

General

  • Target

    document-37-1849.xls.ZIP

  • Size

    176KB

  • Sample

    210601-fpxsgwd8p2

  • MD5

    872f30683bd1528b251149fd61f3e2ba

  • SHA1

    68cfd5dcfe38fdc2e9eb353169c1d5acb09ce994

  • SHA256

    59de5c70ad1a5134fda141c933380bf1e55eb52e041ff37cf5394f8b9dcb5767

  • SHA512

    5665468bde8a378c7d84f44a20bfb97c812e59b038274f89d1449fb7c4231045fd902f6588984ffe1531fe0b4866fcba00e0a365d9bbcf3cf0e240fa563cc768

Score
10/10

Malware Config

Extracted

Language
xlm4.0
Source
URLs
xlm40.dropper

https://austinheisey.com/xls/black/index/processingSetRequestDownloadPayloader/?servername=excel

Targets

    • Target

      document-37-1849.xls

    • Size

      187KB

    • MD5

      c41a21a821bcdea1d3ab26ebef055eed

    • SHA1

      912c8c1792dd33bac263df4b71242078d74741e9

    • SHA256

      d1d0ac76e59b9e2a8ae3a433e0186d74fc61417c89fe5ee4b93c02faa1dc58f8

    • SHA512

      ed665e9a7d3e950318628ad4ea112da063e4f156ea7d2d58fbeaa31cc2486c7d2debb779da72723d8f55bdec6b9a4b87f9d148c50b0a368c4bc5b59ac646a42a

    Score
    10/10
    • DoubleBack

      DoubleBack is a modular backdoor first seen in December 2020.

    • DoubleBack x64 Payload

    • DoubleBack x86 Payload

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v6

Tasks