Overview

overview

10

Static

static

Quotation.exe

windows7-x64

10

Quotation.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotation.exe

  • Size

    1.0MB

  • Sample

    221031-hwmrhaacg6

  • MD5

    7fd40d18e9804f154780cbb3d2b017d8

  • SHA1

    772940d64eb308d240cd205d29c4e1c5881a96b4

  • SHA256

    89af280045471592c70e1c139db75bbe28354d08370ac05dff4ea8245f2088b5

  • SHA512

    1cbfe6168b30db197a140ccc3fdf9b2dbe5e63db246c734d3374c0e026863bec025f7a1f104f35e77058370203b76ee3ff805c697a74d04ba2343d722d9d1154

  • SSDEEP

    12288:8OHgGPilFfoqztDiGW8E2YoFhqJLNu6n0o/rUbihaIJDk:HbiAkD08rYoFALK44bisYI

Score
10/10
formbooknhg6ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

nhg6

Decoy

FSZGb3Of7ECMIOG9mh1ql/w=

DAPP3Pm63eo+zg==

khOZTuClxYsKQsZALgy3ob9TFAk=

5uWol2f/RF3CAwFd

P70LqPOi2iE9g4vpPH1Lk8E0K6tC

KBRl7TSt3eo+zg==

rqedJWUJXKkDbORa

lpORtIg8lvMKbJ77PQW9kes=

Qinv+gsohAIooqyTcfUYgZ/IVxQ=

J0L2ggPAiE2gxm4=

r/I6qOGI5noJCghf

khJg6HKM6l9okVK+pg==

HRMTK/6p3eo+zg==

HqMiuv2JaKYJCghf

+FzGYtsGTpK46OkKkh5C

BBrOUpUY91R/r8gkPwrcuw==

klWfn2smdNcqog581h6vX7px

t8uvr7+R7IPaHSOH1hqvX7px

bHdghkj64OjzY2hOLa/WObrRkkeJjQ==

s3/smhoylh1J0mPS4aDHBDRyJw==

Targets

    • Target

      Quotation.exe

    • Size

      1.0MB

    • MD5

      7fd40d18e9804f154780cbb3d2b017d8

    • SHA1

      772940d64eb308d240cd205d29c4e1c5881a96b4

    • SHA256

      89af280045471592c70e1c139db75bbe28354d08370ac05dff4ea8245f2088b5

    • SHA512

      1cbfe6168b30db197a140ccc3fdf9b2dbe5e63db246c734d3374c0e026863bec025f7a1f104f35e77058370203b76ee3ff805c697a74d04ba2343d722d9d1154

    • SSDEEP

      12288:8OHgGPilFfoqztDiGW8E2YoFhqJLNu6n0o/rUbihaIJDk:HbiAkD08rYoFALK44bisYI

    Score
    10/10
    formbooknhg6ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks