QUOTATION.exe

General
Target

QUOTATION.exe

Size

253KB

Sample

211021-q16deaadc7

Score
10 /10
MD5

cadf879ded4e6a753d7b172b77bce50d

SHA1

ab4f8431c170d75040d8b2984f5e7eadeeeedab9

SHA256

18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

SHA512

c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Malware Config

Extracted

Family xloader
Version 2.5
Campaign d6pu
C2

http://www.bonitaspringshomesearch.com/d6pu/

Decoy

ifixcreditatl.com

productgeekout.com

electricvehicle-insurance.com

kuiper.business

cloudenglabs.com

gorbepari.com

collecthappy.com

amykrussell.store

clubhousebusinesscourse.com

aplussinifiklima.com

slewis.design

atticwitt.com

galenota.com

griphook.xyz

gsjbd1.club

bootystrapfitness.com

emflawrhks.com

alternativedata.investments

eyehealthtnpasumo3.xyz

naturanzaec.com

vinotrentino.info

thisevent.com

joaopedroeviviane.com

fructuosopascualehijos.net

nftokenartwork.com

gymzara.com

erwan-gueldy-transexual.net

enjoyjourneys.com

sanguinejewellery.com

xxxafricain.com

besrbee.com

kefirusa.com

dualdrivesystem.com

brixbol.com

cor-pt.com

myrhannover.com

entospt.com

slabiesplin.quest

rebuildablecarsonline.com

gangom.com

msulthony.tech

thesmithyvan.com

dharma33.com

rjm226.com

yourbestproduct.com

hyderabadmotorclub.com

karlitomarx.com

sunflowerediting.com

seangreenphotography.com

vikramsparmar.com

Targets
Target

QUOTATION.exe

MD5

cadf879ded4e6a753d7b172b77bce50d

Filesize

253KB

Score
10 /10
SHA1

ab4f8431c170d75040d8b2984f5e7eadeeeedab9

SHA256

18e91cbaa2d04fa969e97e947ccd011d494f68eb6375b067f0342a7765fb3119

SHA512

c685444886b555978228cd2fb47b0725b25443b8fcd19be70f804a5bf433ebc9a35291ea33edf6fcc9030fcd26a89009a3b223c39432a001842494b20bf5f5d7

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Executes dropped EXE

  • Deletes itself

  • Loads dropped DLL

  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Tasks