Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53

  • Size

    384KB

  • Sample

    230202-qm3qcsae4w

  • MD5

    ea0406dc2d0cfd68f8620e462406a819

  • SHA1

    aca8beb5b8055efb907e600f0ac51160aee5a548

  • SHA256

    8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53

  • SHA512

    34c8d16d7a1e54d81eec84c4b4e9bb3b11388bf97317b6d1d0eb396534497c6d490fd43f75c83fde87b7d8aac307fa98b874686a4d42273e20a708f1cc8b24aa

  • SSDEEP

    6144:jYa6yIgee0WsmHcrkflbDpIHTsxLB047a/wlz9POTaZX7UWzkaJqxB:jY1gAFmHc6YgHh7a+pOmX7UyI

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53

    • Size

      384KB

    • MD5

      ea0406dc2d0cfd68f8620e462406a819

    • SHA1

      aca8beb5b8055efb907e600f0ac51160aee5a548

    • SHA256

      8c86c2c68e14eef2ac6a63da35633b309ef75e7f818a6bf935e56471ed5dae53

    • SHA512

      34c8d16d7a1e54d81eec84c4b4e9bb3b11388bf97317b6d1d0eb396534497c6d490fd43f75c83fde87b7d8aac307fa98b874686a4d42273e20a708f1cc8b24aa

    • SSDEEP

      6144:jYa6yIgee0WsmHcrkflbDpIHTsxLB047a/wlz9POTaZX7UWzkaJqxB:jY1gAFmHc6YgHh7a+pOmX7UyI

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks