Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    dbbd5f34648cc1a20d0022c47a6531a6.exe

  • Size

    940KB

  • Sample

    220920-qc8tmageep

  • MD5

    dbbd5f34648cc1a20d0022c47a6531a6

  • SHA1

    84bc195e56cdc6804cb987af330608ef5b173a67

  • SHA256

    f8612ea8ab764a3d09157a9b90dc418ec2a7b8af22b29ce63d375896f9ec9a28

  • SHA512

    6d44509bfb38afe4490034736e20dc59cd97de0a4e8cdbdddcd353f7ba5a470a1288f6a2761fa31d4c81bfdf0f6dc8cd56581e27f138e783ecea3e520d9819b3

  • SSDEEP

    24576:xuLJQ0+ai+JoMCXlTjcEa0s4Tj29W8AoqiVNWI:xUpRx+cEa0Q

Malware Config

Extracted

Family

formbook

Campaign

chof

Decoy

1UnM9v3V2HuR2iE=

B4oRF6xBBhDKMJEdaPRiEAw0

r9++/ZEvBh3jRD0FzE01EA==

8qVuosqPI0JfNJGbZ15FT4J8Ng==

83F9+6BFk45ZYEWU04g=

aFPhK8qZoK5CUsemIC+pMoA=

hHkCihi3/HESewQJvpc=

GUMdYJRn7phVzbCTl1BDFg==

aqh5D/PNZYKH3xjDlAoz

P7NS0gXlNFVl

tS/FQFfydoZW6R2I

249T0dBwbVJp

7qNui6I3hCL3vpf5UgKVL+po4YZw

6A/tRMtieCQf/TMU1/8pJbScylADQJRwXA==

b6N1CLSByGdvSIFl6KkVYOlmEoA=

HNGX1Q3YXPxV7ceaT0w/T4J8Ng==

WwvO/0jw8ICLWo9w860VYelmEoA=

Mfa58tV8e9xs5FfhMi+pMoA=

ZOB69iIBTXJ2

EUENQq5AXeCoh8TO0BI5T4J8Ng==

Targets

    • Target

      dbbd5f34648cc1a20d0022c47a6531a6.exe

    • Size

      940KB

    • MD5

      dbbd5f34648cc1a20d0022c47a6531a6

    • SHA1

      84bc195e56cdc6804cb987af330608ef5b173a67

    • SHA256

      f8612ea8ab764a3d09157a9b90dc418ec2a7b8af22b29ce63d375896f9ec9a28

    • SHA512

      6d44509bfb38afe4490034736e20dc59cd97de0a4e8cdbdddcd353f7ba5a470a1288f6a2761fa31d4c81bfdf0f6dc8cd56581e27f138e783ecea3e520d9819b3

    • SSDEEP

      24576:xuLJQ0+ai+JoMCXlTjcEa0s4Tj29W8AoqiVNWI:xUpRx+cEa0Q

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • ModiLoader Second Stage

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks