Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Yeni siparis eklendi.exe

  • Size

    730KB

  • Sample

    221101-kjqczaafdr

  • MD5

    ee8349f2888ba2742aee5f3431f8a1b9

  • SHA1

    2645c65169ae561912cc22c0418b0498dc51452d

  • SHA256

    25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76

  • SHA512

    71fafdc140e603f6600971e2d5b3fb8093e1b043e24fbe1515d1460c895c1a9bd95a6af24a5c2c735d9bdf4f4ba6d41b9e6f261b99ccb04b5ee988b7602eb3c1

  • SSDEEP

    12288:cmkj8E72nMvEp9K8jfCRxsvUTGifrMReP0+ax+6m23m23msffffffffffffffffz:uAECSEp9ljfCmUTvfYRB+ax+6m23m23R

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Targets

    • Target

      Yeni siparis eklendi.exe

    • Size

      730KB

    • MD5

      ee8349f2888ba2742aee5f3431f8a1b9

    • SHA1

      2645c65169ae561912cc22c0418b0498dc51452d

    • SHA256

      25d182f0fae63df346da5dd500309607c39325a90aca36121e9d928e4c445b76

    • SHA512

      71fafdc140e603f6600971e2d5b3fb8093e1b043e24fbe1515d1460c895c1a9bd95a6af24a5c2c735d9bdf4f4ba6d41b9e6f261b99ccb04b5ee988b7602eb3c1

    • SSDEEP

      12288:cmkj8E72nMvEp9K8jfCRxsvUTGifrMReP0+ax+6m23m23msffffffffffffffffz:uAECSEp9ljfCmUTvfYRB+ax+6m23m23R

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • ModiLoader Second Stage

    • Xloader payload

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks