Overview

overview

10

Static

static

IyEXXDHLEU4cBtq.exe

windows7-x64

10

IyEXXDHLEU4cBtq.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IyEXXDHLEU4cBtq.exe

  • Size

    721KB

  • Sample

    221118-2mqlksbd56

  • MD5

    0dd734598701e5ba50d5596a42b8d94c

  • SHA1

    d6cf2163dd892eb8c5e274856c61e9f90b03d1d9

  • SHA256

    501d6ddc2677cf909cdf85570bfbf09099004a108236bb25954758387f080b9f

  • SHA512

    d22bf5d34170f274883346349b3093d90d15a5769e9d6a1a7fb75e6230b9bce373af1f7601d40c19aa34551bbcbc08170cae464651525bdc02d418efd378c745

  • SSDEEP

    12288:yxBnM33302IgFJN0V3foFtswOSf5nHoHY8up3wxb4xZ2cbTEcjZnbCkI:YBnG30YComSxEY8gwxED2SBjZnbCkI

Score
10/10
formbookbmr1ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

bmr1

Decoy

q05YNsJC4MpYLGAf4A==

6KUzKCvwX0fwzrFQXvlucw==

KA4ZibW1w+hWN5Q=

TfgNq18tIWtsM7h+DexncQ==

zspNqjUKBdJVHTkiMMXJYeF7G53bVvMPoA==

hopQr+b8KzPIbMWvw0Yxir6cyw==

2thmt+17FR/MVsakbM/+w3xGOhopJw==

5gO5gfA6jwna/4FNSPqrvvHyr2A=

kqtr0wr9KaOXVMyDDexncQ==

PNldyz0Boa5cLGAf4A==

Gysor7fqabd0UzTwWp3Zir6cyw==

pMRgV18gtLorB21prX4=

ukpf+vu2u+hWN5Q=

pcS/rO+KmPMj69G9cMHnoSEm59cbIQ==

4fWGzv347bFNDYJeeIHKG5co

WXlRyM2Yn+4Ab1EgRAFHWdGDCzf1

ZPoM+2U1cwMzteOBsHY=

o8jQoNron4sT3A/KomE=

7QX8tTpv/A+YKw==

wFvmV8SY/A+YKw==

Targets

    • Target

      IyEXXDHLEU4cBtq.exe

    • Size

      721KB

    • MD5

      0dd734598701e5ba50d5596a42b8d94c

    • SHA1

      d6cf2163dd892eb8c5e274856c61e9f90b03d1d9

    • SHA256

      501d6ddc2677cf909cdf85570bfbf09099004a108236bb25954758387f080b9f

    • SHA512

      d22bf5d34170f274883346349b3093d90d15a5769e9d6a1a7fb75e6230b9bce373af1f7601d40c19aa34551bbcbc08170cae464651525bdc02d418efd378c745

    • SSDEEP

      12288:yxBnM33302IgFJN0V3foFtswOSf5nHoHY8up3wxb4xZ2cbTEcjZnbCkI:YBnG30YComSxEY8gwxED2SBjZnbCkI

    Score
    10/10
    formbookbmr1ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks