Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Compr..NotaFiscal3713.xls

  • Size

    1.2MB

  • Sample

    230716-jj9k6sea9s

  • MD5

    0765692957ce1a7d381daf4d254e0dc1

  • SHA1

    d32070796d799a70d20889773f54870b7a564ad7

  • SHA256

    ac08f1d3518dfe35c2d802992008d4a6750c6e83b9b7c4ed32be68c49bde40be

  • SHA512

    3463acb361a08aebf8d20638454f8bdb40422f88bf28cf7f0dbf8229b0466da74b8e66feb6fdeaac218b6861b5868edcfb7cbcffc7759e239d2d1ed67c5d543e

  • SSDEEP

    24576:GHu9V1ZyFw6VzAZypw6V1ipbmcwTA5G8cmuwwzx:GHu396Vzy16VqmjTJmuwQ

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ms14

Decoy

adjoinstaff.online

kmmdznky.cfd

keyviewgroup.com

kidomarketing.com

jroxtqpq.cfd

jdevmx.com

genqaagz.cfd

1cdpwp.cfd

francegoldvip.com

2qy218.xyz

peterscanner.com

trullys.com

aniwatch.top

windyhillcnc.com

pokazhu.com

r74jsy.cfd

paulgadgets.com

lindanewtee.com

lasik-de-de-8808230.zone

critone.site

Targets

    • Target

      Compr..NotaFiscal3713.xls

    • Size

      1.2MB

    • MD5

      0765692957ce1a7d381daf4d254e0dc1

    • SHA1

      d32070796d799a70d20889773f54870b7a564ad7

    • SHA256

      ac08f1d3518dfe35c2d802992008d4a6750c6e83b9b7c4ed32be68c49bde40be

    • SHA512

      3463acb361a08aebf8d20638454f8bdb40422f88bf28cf7f0dbf8229b0466da74b8e66feb6fdeaac218b6861b5868edcfb7cbcffc7759e239d2d1ed67c5d543e

    • SSDEEP

      24576:GHu9V1ZyFw6VzAZypw6V1ipbmcwTA5G8cmuwwzx:GHu396Vzy16VqmjTJmuwQ

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks