General
-
Target
rquotationorda.exe
-
Size
700KB
-
Sample
230324-qext5sge51
-
MD5
6c38701adffd93212d6029444b59ccd6
-
SHA1
6cd4d0ee67d3c2dc4d3c27952fe03d21af301f5f
-
SHA256
a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
-
SHA512
f8a2363f8438bdaf27eb5cf8d69f43b1823886a0600f06f57778e86b1080d4821206d869260d2ebfbfb2fd38c9c61988fe773ecd5e5f05e6ee827dc5dbe4ee63
-
SSDEEP
12288:VOu8a0GY4jbPeeoVo8AL91kW9CUUCoStDH21X:JjbPJoV2L91CewB
Static task
static1
Behavioral task
behavioral1
Sample
rquotationorda.exe
Resource
win7-20230220-en
Malware Config
Extracted
formbook
4.1
n13e
cowiemarketing.com
uniqueliquidz.co.uk
755259.com
7bw95.com
luxbarstools.co.uk
baccaratda.com
berkayakpinar.xyz
gistus.africa
hjd387.com
leave-fly.com
golfclubdaddy.com
engineeringea.buzz
countryrevisited.com
decoracioneskalite.com
imaginationlirbary.com
moneytransfer.africa
brainwaveproject.com
3039sjbqf2022.com
184hotels.com
aromamiaro.com
bigching.com
armkette.com
energytechnicalsystems.com
bodw2022.com
keptpasha.online
fossillandstone.com
guioueui.link
cleanupbycmw.com
inyeculinary.com
papercrochet.net
jaderoadfarm.com
bril-leadinginvention.com
dtgwarehouse.com
successrn.net
660web.com
lovedhug.com
juicecomedy.co.uk
enigmaxk.com
romunro.net
cassiekayreads.com
ibuycomputers.com
blossomblushbelltents.co.uk
hjce06.com
applyingdreams.com
h2ghb3.site
glown.africa
533671.com
charlottechoicelimos.com
bossinfra.com
anrovlp.xyz
1wqzsb.top
ertfsdf.xyz
exotico-store.com
betterportions.com
corfix.app
888sq.club
takeselfies.net
getyourtitleback.com
clickadega.com
midwestflowsproductions.net
duraveritaswines.com
dublintwist.com
apollobenfitservices.com
kp-aodeli.com
davidmchughroofing.co.uk
Targets
-
-
Target
rquotationorda.exe
-
Size
700KB
-
MD5
6c38701adffd93212d6029444b59ccd6
-
SHA1
6cd4d0ee67d3c2dc4d3c27952fe03d21af301f5f
-
SHA256
a5976236ba0b3e31a6dd09af3abe7d0121a4053bb22669869a874d1ba97bd495
-
SHA512
f8a2363f8438bdaf27eb5cf8d69f43b1823886a0600f06f57778e86b1080d4821206d869260d2ebfbfb2fd38c9c61988fe773ecd5e5f05e6ee827dc5dbe4ee63
-
SSDEEP
12288:VOu8a0GY4jbPeeoVo8AL91kW9CUUCoStDH21X:JjbPJoV2L91CewB
-
Formbook payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-