Overview

overview

10

Static

static

1

Quote.exe

windows7-x64

10

Quote.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quote.exe

  • Size

    225KB

  • Sample

    221207-ltsfrahg31

  • MD5

    321f3295b04cccbbcff5a78a19a92c02

  • SHA1

    18a59fbe2535105067608b8755aee0c2ec1e495a

  • SHA256

    8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244

  • SHA512

    1776e0abd19fa36adee495d6b6a39d233e847d717ce9ac6e3fd40398a80ee693380fc1ae2daefc938f6a36b413ca522f8250f241384ec3680815ec79afb6a8eb

  • SSDEEP

    6144:QBn1Mv+a0+CnUDn3zBaySG9PY2B25IuoXqFv:g/a0hUDn1au9A2BiIk

Score
10/10
formbook0pnvratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

0pnv

Decoy

UeENxNlh2xN7FieUBpBO5lfm

VvcQB1LzT23hsKXRjUwN

UVO18MGf5AY=

oVF8eOF3t9kzAV7CeQ==

jxtEEGsdit4/yuxAdkB8E7LhuAs=

+Pyb8Pke6z59Fg==

pVcPluOJ7ka2WgGWOCCXNw==

5LDqHC4BbYeYhIb0

7pJjqueb8CWBTHLBDsSrEmnUoCy9ui4=

tB4+XKJLlrcv9ARTgCMfXbLhuAs=

4ZM3rO+R/mKOSkpPOQm3KYs=

sKlboNhxxswqHV+UYA==

Ld8s8DrxSqXbpro=

ZSMbPsuFz+gK3msQZB4=

W99Y4Ho8nu1UFo7EOCCXNw==

p48821D7QKXbpro=

Arvd0En7V5D3r1eofzZ8E7LhuAs=

dBc8LKJhweNJFVW7ewE=

BK3FWptVndAtAV7CeQ==

G9eJAmIDDXLur7g=

Targets

    • Target

      Quote.exe

    • Size

      225KB

    • MD5

      321f3295b04cccbbcff5a78a19a92c02

    • SHA1

      18a59fbe2535105067608b8755aee0c2ec1e495a

    • SHA256

      8c011e911b1f66852a1e9b335db2779d320749730155cf63bd2956fd338d6244

    • SHA512

      1776e0abd19fa36adee495d6b6a39d233e847d717ce9ac6e3fd40398a80ee693380fc1ae2daefc938f6a36b413ca522f8250f241384ec3680815ec79afb6a8eb

    • SSDEEP

      6144:QBn1Mv+a0+CnUDn3zBaySG9PY2B25IuoXqFv:g/a0hUDn1au9A2BiIk

    Score
    10/10
    formbook0pnvratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks