Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Scan005510.js

windows7-x64

10

Scan005510.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan005510.js

  • Size

    5.3MB

  • Sample

    230718-qc774abc71

  • MD5

    dcdd70327905af1b3bee089b4f47a343

  • SHA1

    fc26fd4b71a7d6f94d191eca8ad1e4303a679075

  • SHA256

    58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

  • SHA512

    befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

  • SSDEEP

    6144:XgHrlNOv7uIeLpJMaO/lfSiSiV/r3ZPuK/v4lOVdMorRpVDBqP3nvBrXQklUOu6z:iPB

Score
10/10
formbookguloaderwshratme15discoverydownloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

wshrat

C2

http://45.90.222.131:7121

Extracted

Family

formbook

Version

4.1

Campaign

me15

Decoy

thegrill253.com

arthousecorp.com

acre-com.com

dreambarnhollow.com

winwin220693.online

shinohtrade.com

blockcchain.help

8hx3.vip

lifeshinelearning.com

havencoinvestmentgroup.com

thebesthomehacks.com

the-country-wiki.com

xskt.club

sunrisemedia.space

crecrown.com

0hpail.cyou

artwelding.store

psilome.com

layerbabuena.club

miras.shop

Targets

    • Target

      Scan005510.js

    • Size

      5.3MB

    • MD5

      dcdd70327905af1b3bee089b4f47a343

    • SHA1

      fc26fd4b71a7d6f94d191eca8ad1e4303a679075

    • SHA256

      58f1b6a6931817eaef17e92901372bc6032dd0e6aa0636f82c7b3176c1ded8ea

    • SHA512

      befa67677050ae06352e55fbaefb7287ff88b1428eafa1cc63342339e358081b6b0e3fb98473906ee64bca28314c981fa98c70fcd94383da0d95d8d92b9f38ef

    • SSDEEP

      6144:XgHrlNOv7uIeLpJMaO/lfSiSiV/r3ZPuK/v4lOVdMorRpVDBqP3nvBrXQklUOu6z:iPB

    Score
    10/10
    wshratdiscoverypersistencetrojanformbookguloaderme15downloaderratspywarestealer

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • WSHRAT

      WSHRAT is a variant of Houdini worm and has vbs and js variants.

      trojanwshrat

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.