Overview

overview

10

Static

static

SecuriteIn...16.exe

windows7-x64

10

SecuriteIn...16.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe

  • Size

    782KB

  • Sample

    221128-kjqczaee5t

  • MD5

    a5e7d643822b4bec515727dcb5a81654

  • SHA1

    378be3dff71b0a5486758091c71149202e19e78b

  • SHA256

    dc35d3d87c8f062b000472a46ec166c5bf8f399f95c02717eab4ce542043afd7

  • SHA512

    f3f7db1e7d2d05c0ffb96f829b1cc93692dc8130175e67398a9626e475f0a6472641cc57417a7ad39df765bb5b350b408b99bb98fe9621f6c082cd3c091241af

  • SSDEEP

    12288:9mHYsrAQMj7JP2cAmYOKe2ncjOQZ0RDFHNFap4nruadYaeLw2Y:s4ZljB2tOUAOQZ0Z1Hap4nya6RxY

Score
10/10
formbookmodiloadernvp4persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

nvp4

Decoy

EiywrQNofDNveWY1IESoBA==

yqEWFGRfErX7ICQCwyQ+YeLXtaA=

Ers0rc50nbjso0jbdZTmBw==

XQxVP45+F5OZn3ZBTC7MLe1OF3G5c5uK9A==

RHh4uwtsttjzlxy+eW3+

W+xQshfnvmF5n5x2d+cEVdBNIkQRHRE=

FwlyiuXNX0+Trw==

euLn91on/7DeDe++zbQ4YeLXtaA=

td4cO8m3HDRWtl8p7Q==

ZrlyAAPqc3GXI5k=

OM0IisKOI78FJC/IuIxxAu5nRg==

d6A0QJ6PV+AOpyK+eW3+

+EgxFWUu3Ulatl8p7Q==

GC/stck1ILXn+cWZx7w8W6rPFmO6c5uK9A==

hhIiK4+CKEOfB4tr

mA1pyQ85ye8N

4xgWYcEpEoidv8eXKNncAQ==

L+hOVbe+IWyc8oVUclc=

J7EGaJ+L+wKLXUYg7w==

L5R/nfdgQdMHD+TUKw1Zo3Hb

Targets

    • Target

      SecuriteInfo.com.Win32.InjectorX-gen.32696.11916.exe

    • Size

      782KB

    • MD5

      a5e7d643822b4bec515727dcb5a81654

    • SHA1

      378be3dff71b0a5486758091c71149202e19e78b

    • SHA256

      dc35d3d87c8f062b000472a46ec166c5bf8f399f95c02717eab4ce542043afd7

    • SHA512

      f3f7db1e7d2d05c0ffb96f829b1cc93692dc8130175e67398a9626e475f0a6472641cc57417a7ad39df765bb5b350b408b99bb98fe9621f6c082cd3c091241af

    • SSDEEP

      12288:9mHYsrAQMj7JP2cAmYOKe2ncjOQZ0RDFHNFap4nruadYaeLw2Y:s4ZljB2tOUAOQZ0Z1Hap4nya6RxY

    Score
    10/10
    modiloadertrojanformbooknvp4persistenceratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks