Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    fdd8c54cb9c4249532e2e00910c8ff36.rtf

  • Size

    43KB

  • Sample

    230712-gwfshsdb3z

  • MD5

    fdd8c54cb9c4249532e2e00910c8ff36

  • SHA1

    a63ab26f4adde349872fd4785449b76d74f8592c

  • SHA256

    2187745dcc704a8e203aa138a9a6f63f1ffe5ebb08129899cdec638ab48b7e41

  • SHA512

    62266f92bd5bb49545b6db4a5e4ae357e564762c89757580b7e0ea9b63bf6800e17df5a2ef503ed11b43ec49feede9ac51def550d141deb3b8467012445152bd

  • SSDEEP

    768:EFx0XaIsnPRIa4fwJMrwEm2eY+UIAntUvQTd9zS4VDPThO0af7oK:Ef0Xvx3EMcEBeynxHzS49PVO0ajoK

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Extracted

Family

formbook

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Targets

    • Target

      fdd8c54cb9c4249532e2e00910c8ff36.rtf

    • Size

      43KB

    • MD5

      fdd8c54cb9c4249532e2e00910c8ff36

    • SHA1

      a63ab26f4adde349872fd4785449b76d74f8592c

    • SHA256

      2187745dcc704a8e203aa138a9a6f63f1ffe5ebb08129899cdec638ab48b7e41

    • SHA512

      62266f92bd5bb49545b6db4a5e4ae357e564762c89757580b7e0ea9b63bf6800e17df5a2ef503ed11b43ec49feede9ac51def550d141deb3b8467012445152bd

    • SSDEEP

      768:EFx0XaIsnPRIa4fwJMrwEm2eY+UIAntUvQTd9zS4VDPThO0af7oK:Ef0Xvx3EMcEBeynxHzS49PVO0ajoK

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks