Sbz

Malware updated 23 days ago (2024-11-29T13:57:24.867Z)
Download STIX
Preview STIX
SBZ is a potent malware, also known as a filestealer, that has been identified by cybersecurity researchers. It is characterized by its ability to upload any recent file matching a hardcoded set of extensions (.doc, .docx, .pdf, .rar, etc.) to the Command and Control (C2) server. Its discovery was facilitated by signatures associated with the Equation malware family, and it shares coding style and practices with this notorious group. The SBZ malware's SHA-256 hash is 80721e6b2d6168cf17b41d2f1ab0f1e6e3bf4db585754109f3b7ff9931ae9e5b, further aiding in its identification and tracking. The malware's coding style and practices bear a striking resemblance to those seen in STRAITBIZARRE (SBZ), an espionage platform suspected to be linked to a U.S.-based adversarial collective. However, despite the similarities, it has been clarified that the two are completely unrelated. The data format, naming convention, and URL scheme used by the C2 server (/h/pa) are also very similar to the SBZ filestealer, adding to the complexity and sophistication of the malware. In addition to the SBZ filestealer, malicious tools observed in related attacks include Tomiris downloader, download scheduler, .NET downloader and implant, Telemiris backdoor, Roopy stealer, JLORAT backdoor, JLOGRAB stealer, RATel open source RAT, Python Meterpreter loader, and Warzone commercial RAT. These findings underscore the extensive capabilities and potential threat posed by the SBZ malware and its associated cyberespionage activities.
Description last updated: 2024-10-15T09:18:32.759Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Tomiris is a possible alias for Sbz. Tomiris is a malware group that has been active since at least 2019, known for using the backdoor QUIETCANARY. The group has also used Turla malware, indicating a possible cooperation or shared expertise between Tomiris and Turla. A significant development was observed in September 2022 when a Tunnu
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Sbz Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more