Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    PAYMENT COPY.zip

  • Size

    830KB

  • Sample

    220930-rnewcsefgp

  • MD5

    7f0c1b7a21fad519b2087903cf24bf06

  • SHA1

    f1062361f1abbf2dab1ba248687a26d2484b28f9

  • SHA256

    438153728a6eb77664398020d884c6eb1fd74f39116090b502b39c2116765f20

  • SHA512

    5ef46f3ef42b37dfc58ee4e65b4d56795ccdd3d352ad0e60d2596253e95c75b3d08a4748713d09201e49d9583f8f53d254e12d4d216e2962a1ac5604c3fd6bae

  • SSDEEP

    12288:sVW9+/2iLFTG7KwG+ve6AWzGMhGY75bp1he8n/PIGSBDs4X8XTM7tpDMYnpc0jIH:sL/1xi7KwG+vPquGYHy8nIi4MgBjIWIl

Malware Config

Extracted

Family

formbook

Campaign

uymo

Decoy

A4J+j1lFUiMbPgQD0uzpdg==

F3lajp/JwxgpzPZ3bf9zrK0EzWDU/JY=

bOCwjfx/jOF4Las6GFv7+tQ=

9BDZHgUVSa1ypSWjNcPR

S9u+wp+ai+yEW4OWIQ==

wXxiP8BRWDG2JiTw5XA=

VeumNjNg3QeL/qtw

KYxbMI9RU7eqPpEYg1v7+tQ=

zwfU2Vv4NxXzDLy1IWFrDo3iqOoV1KB3

0XQ3wM3oGntH+iTw5XA=

nx7p2XIfYkHv9+Uu+VKx3l41j3mS454=

+BIOmtNni5xbAo5VEZFYQFAw

tkQa0SXOEjV/0yTw5XA=

YOLHv42Us4eMrHCod80dYluXJzNn

HZdsbBNsdAvOq+cr4CaIfg==

YlQ/0dwFQYtd+DXIxzKUlO8kBc9C9A==

mCL+zS69yZ9DyvVMC4399tE/Xk0V1KB3

+tXLkwCl2LyCqaNnalv7+tQ=

yPzM2bjLKPyixsjWSoWe9NI=

KQPQVL5puBHigv/RmyAU0ExD4GDU/JY=

Targets

    • Target

      PAYMENT COPY.exe

    • Size

      1.0MB

    • MD5

      40b8041f55f40b2975deb791cdd40f17

    • SHA1

      c0a57f918bbdd09d69e2fb380ccea7cc69e65ba8

    • SHA256

      9a5edc79c2643926c35c6e83248b6c196c5cd081f74b3b689ae9f02be6b18369

    • SHA512

      f3f0cbb4bd3515caeaad79f99e050445e02a6678ecc679206dca1c7b701785fd65086e10e7eedf4ed55a3196f8a2995961b92a7ae1bcab93bf71b11f2ac4f995

    • SSDEEP

      24576:iqJo1MNiwGovlW0G4lA0PsUCiyfTwWQn:iqiKlbfPbCiy7w

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks