Overview

overview

10

Static

static

3

Sedqwpedatktik.exe

windows7-x64

1

Sedqwpedatktik.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ca3c5a5f9b5cbd6949f6e841036b0f19713099ad9b5af6029ae8c122dde694f2

  • Size

    1.3MB

  • Sample

    231126-m2v3aagh78

  • MD5

    20d9096e0a98b569c30573c5b91fb67c

  • SHA1

    7a002ea7e5bfae0254dc52dad3d489ef94ac3d5e

  • SHA256

    ca3c5a5f9b5cbd6949f6e841036b0f19713099ad9b5af6029ae8c122dde694f2

  • SHA512

    809c14ca7022df7e82de85c06941723f7c9aae5af7e0c49736a1961891e79839f0cb752877890321c3d22df0d16859d107055420cc8ae5686f5ab73032095569

  • SSDEEP

    24576:3kwyKDjCcwRaTSf55bodSAUef2bwOIua5CGTzb/kUzMbZQ/PIiUVGd:3kwyKDmRaGfMdBkza/Xb/kmMxiFd

Score
10/10
formbookmodiloaderkmgepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

    • Target

      Sedqwpedatktik.exe

    • Size

      1.9MB

    • MD5

      56393d980692e825faf5ee4868323886

    • SHA1

      51dd80cfdecc2402b97e639fbb39e085bccd8a22

    • SHA256

      4458765d6aa90cd65cf3a780f1c3be852ff4ba2132a2e1ac0a99d36f70bac994

    • SHA512

      8f2cc0d0efbbca2c0f9ae96283637e901e878ea6fbd3c1ed08525cf690b31e7e53341800ebc9b89c2de1ffc15e3e76f2f5bd3bdf649bc4d3a7fa509107d3bf2a

    • SSDEEP

      49152:Jnq5X8IxTqh0eJa3DZEe9sRuCVCW4sMyqChsZt9Trz:Jq5XX8Za31CuCcwMXC+P5z

    Score
    10/10
    formbookmodiloaderkmgepersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • ModiLoader Second Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks