General

  • Target

    91993433512a2cea93baefd05a20a4c95c6202e4.doc

  • Size

    76KB

  • Sample

    211005-psjn1aaahm

  • MD5

    905c599b5c1a3aa68ea2d51958c85c35

  • SHA1

    91993433512a2cea93baefd05a20a4c95c6202e4

  • SHA256

    55855f7b32c51ff5a7ad295fdd7fcdbec3c8f0f9e1bbb518351537900d0d373f

  • SHA512

    85e6d60342276cbf1900355539260c031c639ae758eeed566a71ae19ddfee3f87c2bd4a9faa2a40bbd7ff4616bada3567d035843b904f7f5f25a778b486dc641

Malware Config

Targets

    • Target

      91993433512a2cea93baefd05a20a4c95c6202e4.doc

    • Size

      76KB

    • MD5

      905c599b5c1a3aa68ea2d51958c85c35

    • SHA1

      91993433512a2cea93baefd05a20a4c95c6202e4

    • SHA256

      55855f7b32c51ff5a7ad295fdd7fcdbec3c8f0f9e1bbb518351537900d0d373f

    • SHA512

      85e6d60342276cbf1900355539260c031c639ae758eeed566a71ae19ddfee3f87c2bd4a9faa2a40bbd7ff4616bada3567d035843b904f7f5f25a778b486dc641

    • Bazar Loader

      Detected loader normally used to deploy BazarBackdoor malware.

    • BazarBackdoor

      Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Bazar/Team9 Backdoor payload

    • Bazar/Team9 Loader payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks