Overview

overview

10

Static

static

3

Quotationv.exe

windows7-x64

10

Quotationv.exe

windows10-2004-x64

10

Resubmissions

14/09/2023, 16:50

230914-vccteadd3x 10

10/08/2020, 09:13

200810-2b9zl1cdns 10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    14/09/2023, 16:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotationv.exe

  • Size

    669KB

  • MD5

    52cfc15a97799e70a8b4a39b04bc8e2b

  • SHA1

    2cfa4daab21dd8115167a3ccba0080f5fdad63ff

  • SHA256

    f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc

  • SHA512

    95b7d0c4942703ebfec9d405bfe08efd1f11c2af3b9f65e05bef5afb3440fabcff5e5733de9bec824331d6b22c26e72419e25ca66a6948c07c0c4d4cc98fcdc3

  • SSDEEP

    12288:lZq251MgHoOqx2sw/6h1/6tj/jrgLLZTh45s+hKeOknD1rfF32grpiAFKWDckjQc:3PjQLlahnrNbQAZgkj5

Score
10/10
formbookpdupratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pdup

Decoy

mycharlesschwab.com

casinocode.online

lesliemostellerart.com

cdtevergreen.com

jualpenirumasli.com

lvyouonline.com

moteaiai.com

coachmo13.com

lampungtimur.com

sellmycapecodhouse.com

wearschool.com

onlinekazancyollari.com

ubmotherhood.com

sqyxedu.com

sibate518.com

energygv.com

sathsathhain.com

paperghostsbook.com

investinbritain.net

tansuokeji.ink

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\Quotationv.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Users\Admin\AppData\Local\Temp\Quotationv.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2636
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"
        3⤵
        • Deletes itself
        PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1256-30-0x0000000006360000-0x000000000646D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1256-29-0x0000000006360000-0x000000000646D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1256-28-0x0000000006360000-0x000000000646D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1256-24-0x00000000066D0000-0x0000000006832000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1256-18-0x00000000066D0000-0x0000000006832000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/1672-0-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1672-2-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1672-1-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1672-3-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1672-4-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1672-5-0x00000000003A0000-0x00000000003E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1672-13-0x00000000748A0000-0x0000000074E4B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2636-16-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2636-17-0x0000000000110000-0x0000000000124000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2636-14-0x0000000000A60000-0x0000000000D63000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2636-12-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2636-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2636-6-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2644-19-0x0000000000780000-0x0000000000A01000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2644-20-0x0000000000780000-0x0000000000A01000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2644-21-0x0000000000080000-0x00000000000AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2644-22-0x0000000002290000-0x0000000002593000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2644-23-0x0000000000080000-0x00000000000AE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2644-27-0x0000000002190000-0x0000000002223000-memory.dmp

    Filesize

    588KB

    Download