Overview

overview

10

Static

static

3

QUOTE.exe

windows7-x64

10

QUOTE.exe

windows10-2004-x64

Sharing

Copy URL
Twitter E-mail

General

  • Target

    QUOTE.zip

  • Size

    848KB

  • Sample

    250227-syjgzasky9

  • MD5

    c14ba8bb03ba1ca1df5a0936af448b69

  • SHA1

    4d3b22ef68f2227739dae155a09afb52204e13f5

  • SHA256

    fcda8d5f3bf1050d5bcc221e8375ce2c24da896f958ee9673883d75f69856998

  • SHA512

    a04b7542d667339904ea99b9dd4cd4063ee310c6fbf46e69e41b0e5ea405debf176599d0a4cf671a2e17d48b65a332079460e6f4bf2015fb8c0d0ef64fa11d03

  • SSDEEP

    24576:PnhY06LZ8HmfBzsq0RgIZ6Gnk0m4DcQ51gh8TL:PhY06N8GfBIquG0p1e83

Score
10/10
modiloaderstormkittyxwormdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

5.206.224.92:8888

Attributes
  • install_file

    USB.exe

Targets

    • Target

      QUOTE.exe

    • Size

      1.8MB

    • MD5

      a66beadb024e6588013951dcc580c6e3

    • SHA1

      0c2877b14f6cec469b75a4801f2fa8eb06d44027

    • SHA256

      dc871eeb7a1c0b24f72c6f0784522d7e354dec9ef137287ebfaea74dd1776a7d

    • SHA512

      f6ff571e98113f65e3b4c7a97be86e7586399edbb224921eab46a609f752277e3e02d8eed5b97aaebf6a712bac9d03d0be116917b1340ea623d50809a8be133b

    • SSDEEP

      49152:9W7OQpZsNmopb3wuzfiG+iGGCCCCv9rmlf3e9uQ1Prsw:9OppZs08b3wujiG+iGGCCCCvy3e9f1TH

    Score
    10/10
    modiloaderdiscoverytrojanstormkittyxwormexecutionratspywarestealer

    • Detect Xworm Payload

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Modiloader family

      modiloader

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Stormkitty family

      stormkitty

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • ModiLoader Second Stage

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks