General
-
Target
Quotation.exe
-
Size
720KB
-
Sample
210106-1ljeynlype
-
MD5
a71b92a0262b4067b2da39ad1f39bef5
-
SHA1
5fab5dc05795e35879eeab69f9c8172e4963431c
-
SHA256
1787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79
-
SHA512
8ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10v20201028
Malware Config
Extracted
remcos
whatgodcannotdodoestnotexist.duckdns.org:2889
Targets
-
-
Target
Quotation.exe
-
Size
720KB
-
MD5
a71b92a0262b4067b2da39ad1f39bef5
-
SHA1
5fab5dc05795e35879eeab69f9c8172e4963431c
-
SHA256
1787f73acf804bff30fe863e077fb5bc9799b3cb39065534198f894757907e79
-
SHA512
8ca4c96e2942b8da52e5644fee5bd9c90beaa91d2cb52aeab83955dbc98d71269d280c530908ef4811b5c06833720ece2d8b3666f030b66b8e40b1e769eab7a3
Score10/10-
Modifies WinLogon for persistence
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-