Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

980c09040a...83.exe

windows7-x64

10

980c09040a...83.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/01/2023, 10:03 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    980c09040af5ab467b0e902c8097cb83.exe

  • Size

    420KB

  • MD5

    980c09040af5ab467b0e902c8097cb83

  • SHA1

    efbd7fcfc5bac7aee07b2715c492ff71df54ce48

  • SHA256

    843c93a950a42ce6ccdd4debb3b505ee31a696637c523aa3cde37876a940d1d1

  • SHA512

    d1524131c82bac5e4fc6232963694d5c2944fd1ad52d7c394fac449c44f498f474d130217ec94a84514897cba02060207b564c640e056c85536356896f1e14c8

  • SSDEEP

    6144:oYa6eYODUglfIPtpIGAmRCXODtbOy0FD5GHfE7pV5gK8noo:oYdpIGAmMe5SyYtGHiuK81

Score
10/10
formbookvr84ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr84

Decoy

intouchenergy.co.uk

lalumalkaliram.com

hillgreenholidays.co.uk

fluentliteracy.com

buildingworkerpower.com

by23577.com

gate-ch375019.online

jayess-decor.com

larkslife.com

swsnacks.co.uk

bigturtletiny.com

egggge.xyz

olastore.africa

lightshowsnewengland.com

daily-lox.com

empireoba.com

91302events.com

lawrencecountyfirechiefs.com

abrahamslibrary.com

cleaner365.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3092
    • C:\Users\Admin\AppData\Local\Temp\980c09040af5ab467b0e902c8097cb83.exe
      "C:\Users\Admin\AppData\Local\Temp\980c09040af5ab467b0e902c8097cb83.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5036
      • C:\Users\Admin\AppData\Local\Temp\filpx.exe
        "C:\Users\Admin\AppData\Local\Temp\filpx.exe" C:\Users\Admin\AppData\Local\Temp\xtvjfgswix.j
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4180
        • C:\Users\Admin\AppData\Local\Temp\filpx.exe
          "C:\Users\Admin\AppData\Local\Temp\filpx.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4972
          • C:\Windows\SysWOW64\netsh.exe
            "C:\Windows\SysWOW64\netsh.exe"
            5⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4752
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\filpx.exe"
              6⤵
                PID:2484

    Network

    • flag-unknown
      DNS
      www.markallenit.com
      Remote address:
      8.8.8.8:53
      Request
      www.markallenit.com
      IN A
      Response
      www.markallenit.com
      IN A
      172.67.141.136
      www.markallenit.com
      IN A
      104.21.79.35
    • flag-unknown
      GET
      http://www.markallenit.com/vr84/?4h=3q/aG8SyLlRKzt1SIabMEKfgCIYZ/cn++JwbDNFQz/t+ThtcKsAL7WI4zaw0zi531gEn&2d5=DVoxnFoxXxY8-
      Explorer.EXE
      Remote address:
      172.67.141.136:80
      Request
      GET /vr84/?4h=3q/aG8SyLlRKzt1SIabMEKfgCIYZ/cn++JwbDNFQz/t+ThtcKsAL7WI4zaw0zi531gEn&2d5=DVoxnFoxXxY8- HTTP/1.1
      Host: www.markallenit.com
      Connection: close
      Response
      HTTP/1.1 301 Moved Permanently
      Date: Fri, 06 Jan 2023 10:04:17 GMT
      Transfer-Encoding: chunked
      Connection: close
      Cache-Control: max-age=3600
      Expires: Fri, 06 Jan 2023 11:04:17 GMT
      Location: https://www.markallenit.com/vr84/?4h=3q/aG8SyLlRKzt1SIabMEKfgCIYZ/cn++JwbDNFQz/t+ThtcKsAL7WI4zaw0zi531gEn&2d5=DVoxnFoxXxY8-
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=a0qWaqQVN972CWZFKeHRoMWDUEEzonzivRjUt80rHlQZgGmaXkFyqjMfI5%2FpiLx2QWO0tHjwcCxEJlYKNALK038GbfA87lKUWrI4f6cmMIKotn8atbmDKp5AHukfRn7wJRkCosZM"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 7853a0f0fbe5b8fc-AMS
      alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
    • flag-unknown
      DNS
      www.egggge.xyz
      Remote address:
      8.8.8.8:53
      Request
      www.egggge.xyz
      IN A
      Response
      www.egggge.xyz
      IN CNAME
      ju9sbr64.sktcks.com
      ju9sbr64.sktcks.com
      IN CNAME
      fbcuj92a.n.sktcks.com
      fbcuj92a.n.sktcks.com
      IN A
      43.155.32.218
      fbcuj92a.n.sktcks.com
      IN A
      43.132.109.241
    • flag-unknown
      GET
      http://www.egggge.xyz/vr84/?4h=a8zeX9nRH28oEdX5b4BA+WeEtOjKYfIPhSpXuyMu5V20gLyi0U+IMzwoZCX/EWqkDXbt&2d5=DVoxnFoxXxY8-
      Explorer.EXE
      Remote address:
      43.155.32.218:80
      Request
      GET /vr84/?4h=a8zeX9nRH28oEdX5b4BA+WeEtOjKYfIPhSpXuyMu5V20gLyi0U+IMzwoZCX/EWqkDXbt&2d5=DVoxnFoxXxY8- HTTP/1.1
      Host: www.egggge.xyz
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Date: Fri, 06 Jan 2023 10:04:38 GMT
      Content-Type: text/html
      Content-Length: 146
      Connection: close
      Server: Cheertech CDN
      X-Cache-Status: MISS
    • flag-unknown
      DNS
      www.14782.se
      Remote address:
      8.8.8.8:53
      Request
      www.14782.se
      IN A
      Response
    • flag-unknown
      DNS
      www.kxzi803.com
      Remote address:
      8.8.8.8:53
      Request
      www.kxzi803.com
      IN A
      Response
      www.kxzi803.com
      IN A
      63.250.47.104
    • flag-unknown
      GET
      http://www.kxzi803.com/vr84/?4h=2l/wX4k7ySlv4+l0KJOgcXMs8dc4wb8C4a1JKd8AQBoMv46c9g76QDuIGIYlRazqPg7g&2d5=DVoxnFoxXxY8-
      Explorer.EXE
      Remote address:
      63.250.47.104:80
      Request
      GET /vr84/?4h=2l/wX4k7ySlv4+l0KJOgcXMs8dc4wb8C4a1JKd8AQBoMv46c9g76QDuIGIYlRazqPg7g&2d5=DVoxnFoxXxY8- HTTP/1.1
      Host: www.kxzi803.com
      Connection: close
      Response
      HTTP/1.1 404 Not Found
      Server: nginx
      Date: Fri, 06 Jan 2023 10:05:18 GMT
      Content-Type: text/html
      Content-Length: 146
      Connection: close
    • flag-unknown
      DNS
      www.by23577.com
      Remote address:
      8.8.8.8:53
      Request
      www.by23577.com
      IN A
      Response
      www.by23577.com
      IN A
      154.80.192.221
    • flag-unknown
      GET
      http://www.by23577.com/vr84/?4h=K7LJL10Xq7N62GyUcnB6Neo/QLDiF5cc0C1kHTnt9G7xQk8hFsOcyJK5OHOPssXUoYJF&2d5=DVoxnFoxXxY8-
      Explorer.EXE
      Remote address:
      154.80.192.221:80
      Request
      GET /vr84/?4h=K7LJL10Xq7N62GyUcnB6Neo/QLDiF5cc0C1kHTnt9G7xQk8hFsOcyJK5OHOPssXUoYJF&2d5=DVoxnFoxXxY8- HTTP/1.1
      Host: www.by23577.com
      Connection: close
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Date: Fri, 06 Jan 2023 10:05:39 GMT
      Content-Type: text/html
      Content-Length: 1912
      Connection: close
      Vary: Accept-Encoding
    • 52.109.77.0:443
      40 B
       1
    • 209.197.3.8:80
      46 B
       40 B
       1
      1
    • 209.197.3.8:80
      322 B
       7
    • 2.18.109.224:443
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 209.197.3.8:80
      322 B
       7
    • 209.197.3.8:80
      46 B
       40 B
       1
      1
    • 172.67.141.136:80
      http://www.markallenit.com/vr84/?4h=3q/aG8SyLlRKzt1SIabMEKfgCIYZ/cn++JwbDNFQz/t+ThtcKsAL7WI4zaw0zi531gEn&2d5=DVoxnFoxXxY8-
      http
      Explorer.EXE
      396 B
       966 B
       5
      5

      HTTP Request

      GET http://www.markallenit.com/vr84/?4h=3q/aG8SyLlRKzt1SIabMEKfgCIYZ/cn++JwbDNFQz/t+ThtcKsAL7WI4zaw0zi531gEn&2d5=DVoxnFoxXxY8-

      HTTP Response

      301
    • 43.155.32.218:80
      http://www.egggge.xyz/vr84/?4h=a8zeX9nRH28oEdX5b4BA+WeEtOjKYfIPhSpXuyMu5V20gLyi0U+IMzwoZCX/EWqkDXbt&2d5=DVoxnFoxXxY8-
      http
      Explorer.EXE
      391 B
       531 B
       5
      5

      HTTP Request

      GET http://www.egggge.xyz/vr84/?4h=a8zeX9nRH28oEdX5b4BA+WeEtOjKYfIPhSpXuyMu5V20gLyi0U+IMzwoZCX/EWqkDXbt&2d5=DVoxnFoxXxY8-

      HTTP Response

      404
    • 63.250.47.104:80
      http://www.kxzi803.com/vr84/?4h=2l/wX4k7ySlv4+l0KJOgcXMs8dc4wb8C4a1JKd8AQBoMv46c9g76QDuIGIYlRazqPg7g&2d5=DVoxnFoxXxY8-
      http
      Explorer.EXE
      392 B
       501 B
       5
      5

      HTTP Request

      GET http://www.kxzi803.com/vr84/?4h=2l/wX4k7ySlv4+l0KJOgcXMs8dc4wb8C4a1JKd8AQBoMv46c9g76QDuIGIYlRazqPg7g&2d5=DVoxnFoxXxY8-

      HTTP Response

      404
    • 154.80.192.221:80
      http://www.by23577.com/vr84/?4h=K7LJL10Xq7N62GyUcnB6Neo/QLDiF5cc0C1kHTnt9G7xQk8hFsOcyJK5OHOPssXUoYJF&2d5=DVoxnFoxXxY8-
      http
      Explorer.EXE
      438 B
       2.3kB
       6
      5

      HTTP Request

      GET http://www.by23577.com/vr84/?4h=K7LJL10Xq7N62GyUcnB6Neo/QLDiF5cc0C1kHTnt9G7xQk8hFsOcyJK5OHOPssXUoYJF&2d5=DVoxnFoxXxY8-

      HTTP Response

      200
    • 8.8.8.8:53
      www.markallenit.com
      dns
      65 B
       97 B
       1
      1

      DNS Request

      www.markallenit.com

      DNS Response

      172.67.141.136
      104.21.79.35

    • 8.8.8.8:53
      www.egggge.xyz
      dns
      60 B
       150 B
       1
      1

      DNS Request

      www.egggge.xyz

      DNS Response

      43.155.32.218
      43.132.109.241

    • 8.8.8.8:53
      www.14782.se
      dns
      58 B
       118 B
       1
      1

      DNS Request

      www.14782.se

    • 8.8.8.8:53
      www.kxzi803.com
      dns
      61 B
       77 B
       1
      1

      DNS Request

      www.kxzi803.com

      DNS Response

      63.250.47.104

    • 8.8.8.8:53
      www.by23577.com
      dns
      61 B
       77 B
       1
      1

      DNS Request

      www.by23577.com

      DNS Response

      154.80.192.221

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\filpx.exe
      Filesize

      56KB

      MD5

      98002afac40f6945e6b34108827505d0

      SHA1

      61fb8be150df2fa8f85b066d4050f8bb095905ae

      SHA256

      07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

      SHA512

      35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\filpx.exe
      Filesize

      56KB

      MD5

      98002afac40f6945e6b34108827505d0

      SHA1

      61fb8be150df2fa8f85b066d4050f8bb095905ae

      SHA256

      07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

      SHA512

      35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\filpx.exe
      Filesize

      56KB

      MD5

      98002afac40f6945e6b34108827505d0

      SHA1

      61fb8be150df2fa8f85b066d4050f8bb095905ae

      SHA256

      07da33ffe03a486cd199125cb485561f6e53179e7be1ce6e32e1ce8a4726bd3f

      SHA512

      35e474f1fd570b1df607912fa756997143943a508e21cac0596bb2d4d3bd431e07c8411a11c87195f8c83e76b1946d2f714e0632abb9134c64f35b40246325da

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\rfsyom.m
      Filesize

      205KB

      MD5

      6e778839ad9b8e35c2ee219f6084749c

      SHA1

      0b2d15d794006e31c458875c3f452e25b687da83

      SHA256

      ce74cea5493334d94ee41b2f33c08daf5e7969f02c0f705e32bb5e47019114e3

      SHA512

      9e49e69389e5dc4a6d3ebb845396672ba897c207dbe4d7e4b75204f0c0a8d82788860082ad534605750da0faf89c74b6773336579f7c1a7572edd599c67df723

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\xtvjfgswix.j
      Filesize

      5KB

      MD5

      feb3241fec4320789d09238ee0a3806e

      SHA1

      8dade6e5708610a6959f1dd50d59d23c6341a9e3

      SHA256

      49ce3a686a989745ef53e27db48058376120918159d8c1855e9295d260da7f3d

      SHA512

      4c3cf4b9822f4785722e641525f00467d46dda78258b743844bfbe03c056ba5fd48d1418928417068742a0725d4b83e80f4f9ba9d4d36a3524437b3dd6a4b85b

      Download Submit

    • memory/3092-142-0x00000000081D0000-0x00000000082A5000-memory.dmp

      Filesize

      852KB

      Download

    • memory/3092-154-0x0000000008D10000-0x0000000008EA4000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3092-152-0x0000000008D10000-0x0000000008EA4000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3092-144-0x0000000008460000-0x00000000085C5000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/4752-148-0x0000000000E50000-0x0000000000E6E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4752-153-0x00000000007B0000-0x00000000007DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4752-151-0x0000000001210000-0x00000000012A4000-memory.dmp

      Filesize

      592KB

      Download

    • memory/4752-150-0x00000000013D0000-0x000000000171A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4752-149-0x00000000007B0000-0x00000000007DF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4972-143-0x0000000000930000-0x0000000000945000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4972-145-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4972-139-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4972-141-0x00000000008C0000-0x00000000008D5000-memory.dmp

      Filesize

      84KB

      Download

    • memory/4972-140-0x0000000000970000-0x0000000000CBA000-memory.dmp

      Filesize

      3.3MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.