Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    eb4ebf5b9bbe84d8344a9d841b258b8b.zip

  • Size

    475KB

  • Sample

    230519-k1cs7sda29

  • MD5

    5dfe5efe3841908f856707611a7a7bdc

  • SHA1

    24c411e37ae9b2ce305ef0fe64f9fe4906bd7410

  • SHA256

    cb550c56ca091b8c0d2a6634a114a66a5c15f2363881f37fbb14e715ac88134f

  • SHA512

    5620ef57ade849a7d5d310988b2a793d5c8f357af03d455ab6cf2445cb6497fb6a1a0fae3a0537af15fe13304f5a01f04480e21f065db2ffb7d08abe35feed37

  • SSDEEP

    12288:PPHnnwYE0vTK1IQaPjPgAxg0ZN6Y1NOETVa1wyVv9wXSSYOvyl:PfnMKBDr6e9VYBaXlxi

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il07

Decoy

lawofficeofchasearich.com

3332626f.xyz

wordpressbilimi.net

gdapp1.xyz

facebetter.online

koningmedia.africa

elitegaraje.com

lightingnews.ru

locationdarling.com

corrective.one

contamais.app

a2dzgm-bcx9.com

gyaanji.com

ibnuic.top

fsyiq3jp.com

dizirt.com

z3iucr5b35d.net

myfedloan.africa

dscovcorpoffice.info

ht80852.com

Targets

    • Target

      NARUD_BA.EXE

    • Size

      500KB

    • MD5

      eb4ebf5b9bbe84d8344a9d841b258b8b

    • SHA1

      73ac005d35a2a7d5a43e4aa6982461b3168f64e6

    • SHA256

      0b318f0cfea0808152858214548a444572aa30e11ebaf4fb5b06af00033fea7e

    • SHA512

      bd318dd411127aa503ecce23a1d53a497be089b3b74e1b31735cbf95b52ee4858ceb6f29c0a4101740334ddbbc586a57dcd055cc31f255a121c2d06bed381c44

    • SSDEEP

      12288:lKl9TZYH5G8FfP9Rns6cDdrnEPpmTzLJOJt:s9TybFfP9Z5WRExCJKt

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Adds policy Run key to start application

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks