Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

841f916fd2...10.exe

windows7-x64

10

841f916fd2...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2023, 10:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe

  • Size

    816KB

  • MD5

    f9df3670e25d3846200606958b47c4e5

  • SHA1

    1177bfdae58c9f07f1bfc4d873a02562423c20d8

  • SHA256

    841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410

  • SHA512

    9895e4d8bf6649838aefe23fa904d70256dac09003d4b18b1a5bda7c61896c30982828077e349810d88492ae6eacb3721ff3a82fc83975f6d8c4599c459bb6d4

  • SSDEEP

    12288:1S8hue/3H1OdvmnHKpBnM8NU1TwBiW7okCT66tk0riptH+VO8kevckNx:1BOdv8KpS8dBX7o7Fctekk

Score
10/10
formbookga36ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ga36

Decoy

700kitchen.com

udda.app

fractionalgc.tech

tipmercados.net

2-upapparel.net

directbookdiscount.com

koewetzeltours.com

d7c8-iuxt.com

hamaancook.com

benjaimnmoore.com

yimaglobal.africa

dispovapo.com

aseguvenlik.com

battery-worth.com

dddanbao.mobi

blueskyauberge.com

740.mobi

betterbonella.com

liverally.club

czubao.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
    "C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
      "C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1212-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1212-142-0x0000000001460000-0x00000000017AA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1640-133-0x0000000000E10000-0x0000000000EE2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/1640-134-0x0000000005C10000-0x00000000061B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1640-135-0x0000000005770000-0x0000000005802000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1640-136-0x0000000005820000-0x000000000582A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1640-137-0x00000000058D0000-0x00000000058E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1640-138-0x00000000058D0000-0x00000000058E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1640-139-0x0000000008B40000-0x0000000008BDC000-memory.dmp

    Filesize

    624KB

    Download