Overview

overview

10

Static

static

3

9b49829806...eb.exe

windows7-x64

10

9b49829806...eb.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

  • Size

    610KB

  • Sample

    250110-2y7z1a1rhv

  • MD5

    0972faadc9af1807c3e66cb01aef5c76

  • SHA1

    4e1cb9444397bf64f8c8118104e3573b63b703fd

  • SHA256

    9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb

  • SHA512

    a7000602df6358ddfaf7c67166010e0d98f80dd3957188baee624ace4eeea1ed1eda1e296ee8ceaf0e61b1bbdec3f157c89cf621e2e137941468e2eddb359e25

  • SSDEEP

    12288:BPrneXCtwpxa5ICfznTODkiRrZ3VpWCDy7Frd34:BPr4CmpxayCfznTkhVpN6rdo

Score
10/10
expirobackdoorcredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Targets

    • Target

      9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb.exe

    • Size

      610KB

    • MD5

      0972faadc9af1807c3e66cb01aef5c76

    • SHA1

      4e1cb9444397bf64f8c8118104e3573b63b703fd

    • SHA256

      9b4982980699d7af88821b57929d392d2c68b6bd3895de7672f3345e1b25baeb

    • SHA512

      a7000602df6358ddfaf7c67166010e0d98f80dd3957188baee624ace4eeea1ed1eda1e296ee8ceaf0e61b1bbdec3f157c89cf621e2e137941468e2eddb359e25

    • SSDEEP

      12288:BPrneXCtwpxa5ICfznTODkiRrZ3VpWCDy7Frd34:BPr4CmpxayCfznTkhVpN6rdo

    Score
    10/10
    expirobackdoorcredential_accessdiscoveryevasionspywarestealertrojan

    • Expiro family

      expiro

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

      backdoorexpiro

    • Expiro payload

      backdoor

    • Disables taskbar notifications via registry modification

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Windows security modification

      evasiontrojan

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops Chrome extension

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks