Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Official Purchase Order 121322.exe

  • Size

    1019KB

  • Sample

    221219-kkaznsef29

  • MD5

    9e40b98924b94ea375faf0bccf2609ee

  • SHA1

    bbb2330799adfffd534505aac9ac112e16f7fc8e

  • SHA256

    4b4faaccc4842d408c3caad47e364f69dad51765ab242e4dc8c97de0cd190ddc

  • SHA512

    c2a3f6653962664b1d830edee1c84ac9a62e1d908b647c6f88f1b21837c3316177c445ea2af17c0326e79d9bf3b5d4b266fbbb3a87b2eb12ffa1cc972a23b9db

  • SSDEEP

    24576:wGTgVIYba1JXh+Q/Fkq1SW0vQ2lBS4G3r5/oOi3bJhxVsWy:wGT6Iz3RJtkqh0vQ2

Malware Config

Extracted

Family

formbook

Campaign

snky

Decoy

AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=

tvj/KUTKeKgxszIemQ==

DTrTokBrjB5leF4=

tPeTOuIjJPtH

taxtMdIygEdpskxzOQ2ZjoAEeA==

CxLuaKAFRrJyuIqQUPbhZw==

Tn4fapT5kPmk1H0gpXQ=

h5p8hDqGSiRzdSbV

i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx

EwbfBo6m+UXU2qaVUPbhZw==

WpeenFSMquJ3xXD1/b43

niV5qTFu3tfmcgrI

fqyyyElbdxWswJ7A

Lh7o92ZOr4ghbwvK

Y2RYMDue4x+KszIemQ==

lN3Y3z5AS85eah1MDvfFQQA=

uq+Oqh8MNRxHOOkqA9lqYEZZhJU=

FEtGDeGnnRoSQEM=

TkMlruotvsmtpFwg6shr03LjwMWGow==

7PGx8hNMep8EMj5Q39dsq16IbbaIrA==

Targets

    • Target

      Official Purchase Order 121322.exe

    • Size

      1019KB

    • MD5

      9e40b98924b94ea375faf0bccf2609ee

    • SHA1

      bbb2330799adfffd534505aac9ac112e16f7fc8e

    • SHA256

      4b4faaccc4842d408c3caad47e364f69dad51765ab242e4dc8c97de0cd190ddc

    • SHA512

      c2a3f6653962664b1d830edee1c84ac9a62e1d908b647c6f88f1b21837c3316177c445ea2af17c0326e79d9bf3b5d4b266fbbb3a87b2eb12ffa1cc972a23b9db

    • SSDEEP

      24576:wGTgVIYba1JXh+Q/Fkq1SW0vQ2lBS4G3r5/oOi3bJhxVsWy:wGT6Iz3RJtkqh0vQ2

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks