General
-
Target
QUOTE.exe
-
Size
705KB
-
Sample
220804-lw79zsefcm
-
MD5
69cce648572c35889b741d72ecfe9690
-
SHA1
2a86fae70b64f4266fa653bd5742fb558e5a5d41
-
SHA256
371982ab20054b57f6cd8698e9f64498c7a857b412d370febbf44d8cbe7f2285
-
SHA512
3ec1973dbc4f2d55d3e567d9b38993f79ef8f8746c701445b3d9e5d4e021647eb4fec22e9775d4ecc342444b5f35f2fa7daa98a42b63a73ee27309efe4b28fde
Static task
static1
Behavioral task
behavioral1
Sample
QUOTE.exe
Resource
win7-20220715-en
Malware Config
Extracted
formbook
4.1
ee27
gasimportsfiles.com
hospitaljobsindia.com
mymortgagecantips.xyz
yourenotalone.world
livethejesuslife.com
sobernv.com
bobgruber.online
badu100.com
id98qq12.com
naturalex.co.uk
metathrillrides.com
blessingstowing.com
juddsbarandgrill.com
qrcodemania.com
haodaculture.com
obot.xyz
soupmortgagemark.xyz
top-road.com
xiaoterv.com
madrstyonline.com
lntmemories.com
codeverse.store
coleadersolutions.com
xn--2i0bs4kuxch7w.com
trumanridgekc.com
urbansummerfest.com
prelistingphotos.com
ncknights.com
demo-box.com
rifinastore.com
costamp.online
growthdigitalstudios.com
mso-4.com
rebeccast.club
mobilebusinessmoneymachine.com
hardmails.com
taylorbeckerhair.com
bradarender.com
urfahaberdar.com
evershinetransportltd.co.uk
perfecttime.club
phch.pro
fccxzb.site
myassetssecured.com
mysticmindpublishingacademy.com
energyharvesting.online
nhckom.com
tomiburkolo.com
uplandshell.com
tabularasa.net.cn
pagosahanger.com
apicemtech.com
doomscene.com
yqxinydz.com
lolmaster.host
massageindenton.uk
95hillerdr.com
paymentwize.com
tamwen.app
4any4all.com
neustabos.com
jedonnadingesforgpboe.com
dabeiw.com
thatpaintlady.com
ndcolledge-traducteur.com
Targets
-
-
Target
QUOTE.exe
-
Size
705KB
-
MD5
69cce648572c35889b741d72ecfe9690
-
SHA1
2a86fae70b64f4266fa653bd5742fb558e5a5d41
-
SHA256
371982ab20054b57f6cd8698e9f64498c7a857b412d370febbf44d8cbe7f2285
-
SHA512
3ec1973dbc4f2d55d3e567d9b38993f79ef8f8746c701445b3d9e5d4e021647eb4fec22e9775d4ecc342444b5f35f2fa7daa98a42b63a73ee27309efe4b28fde
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-