Overview

overview

10

Static

static

3

Quotationv.exe

windows7-x64

10

Quotationv.exe

windows10-2004-x64

10

Resubmissions

14-09-2023 16:50

230914-vccteadd3x 10

10-08-2020 09:13

200810-2b9zl1cdns 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Quotationv.exe

  • Size

    669KB

  • Sample

    230914-vccteadd3x

  • MD5

    52cfc15a97799e70a8b4a39b04bc8e2b

  • SHA1

    2cfa4daab21dd8115167a3ccba0080f5fdad63ff

  • SHA256

    f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc

  • SHA512

    95b7d0c4942703ebfec9d405bfe08efd1f11c2af3b9f65e05bef5afb3440fabcff5e5733de9bec824331d6b22c26e72419e25ca66a6948c07c0c4d4cc98fcdc3

  • SSDEEP

    12288:lZq251MgHoOqx2sw/6h1/6tj/jrgLLZTh45s+hKeOknD1rfF32grpiAFKWDckjQc:3PjQLlahnrNbQAZgkj5

Score
10/10
formbookpduppersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pdup

Decoy

mycharlesschwab.com

casinocode.online

lesliemostellerart.com

cdtevergreen.com

jualpenirumasli.com

lvyouonline.com

moteaiai.com

coachmo13.com

lampungtimur.com

sellmycapecodhouse.com

wearschool.com

onlinekazancyollari.com

ubmotherhood.com

sqyxedu.com

sibate518.com

energygv.com

sathsathhain.com

paperghostsbook.com

investinbritain.net

tansuokeji.ink

Targets

    • Target

      Quotationv.exe

    • Size

      669KB

    • MD5

      52cfc15a97799e70a8b4a39b04bc8e2b

    • SHA1

      2cfa4daab21dd8115167a3ccba0080f5fdad63ff

    • SHA256

      f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc

    • SHA512

      95b7d0c4942703ebfec9d405bfe08efd1f11c2af3b9f65e05bef5afb3440fabcff5e5733de9bec824331d6b22c26e72419e25ca66a6948c07c0c4d4cc98fcdc3

    • SSDEEP

      12288:lZq251MgHoOqx2sw/6h1/6tj/jrgLLZTh45s+hKeOknD1rfF32grpiAFKWDckjQc:3PjQLlahnrNbQAZgkj5

    Score
    10/10
    formbookpdupratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks