Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    USD92.15.exe

  • Size

    997KB

  • Sample

    220916-j7afzsaghj

  • MD5

    7b711b729b01c38bbbed5ee08ef88347

  • SHA1

    45c70d807a9b741aec980b559ebec0c79a4cd1a0

  • SHA256

    6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab

  • SHA512

    b94950da81e664bb2248411c39adb748f2042cad9e03ed4c212913e1b6e861d99e174b39e90084eaeeeaae6e067af7fd164ecf20d2f115a0ae77ffa9156f4581

  • SSDEEP

    12288:vJ6ShV7uikFgEeYeFav5bq5/wA9IVBrFPVgIBzcJtNv2j:h9hlubgSeFOb6/6frFPVXBzcRI

Malware Config

Extracted

Family

formbook

Campaign

ejgp

Decoy

+0NM3RekW0bfgQ==

iQmI3Aw2aoOljoA0XZi1

5Ei2CVwQyOgZwV/u4eiMFdKqc84=

ImSvoul9o0reZ9TKUAUkXgw=

kuCrMIco5vT3sxCUQ+pYsVoG7Q==

btgpLo8XM+qHGLzoizgjRg==

fqK2iM5vW0bfgQ==

ObS1UE+TByKRZozamdULr0naXbKPLA==

bcohBkmNNcpp3gJ/XE2/mBs=

yY5b/cLb3+0llg==

GVEVqBNXl7Kic2Sm

Tqpt2tTlW0bfgQ==

eurYRI7UFDBjDbzpIJKz

7wwDuczemAaJNrrpIJKz

bprQyLvLEj+hhMLHHg==

qdoAqq/XOjh0ItzLLJpHBgxoJgM2

gr5SnMA66BpM8+hUM+iawNKeZsQ=

XLoO6yFTsdNuEYpUPfScwqXEk7dqBnU=

vS2Cjfg0tqBF1GpuHemLV8/g4wUwPspS

U5wqXJjP/u/qg3sE+YKsgVVByFw+

Targets

    • Target

      USD92.15.exe

    • Size

      997KB

    • MD5

      7b711b729b01c38bbbed5ee08ef88347

    • SHA1

      45c70d807a9b741aec980b559ebec0c79a4cd1a0

    • SHA256

      6bf5a3809ca423061cb16a815ca5e5f3ba86d6c7fbf5233fd68b589012eae0ab

    • SHA512

      b94950da81e664bb2248411c39adb748f2042cad9e03ed4c212913e1b6e861d99e174b39e90084eaeeeaae6e067af7fd164ecf20d2f115a0ae77ffa9156f4581

    • SSDEEP

      12288:vJ6ShV7uikFgEeYeFav5bq5/wA9IVBrFPVgIBzcJtNv2j:h9hlubgSeFOb6/6frFPVXBzcRI

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks