Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

STATEMENT ...xs.exe

windows7-x64

10

STATEMENT ...xs.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    STATEMENT OF ACCOUNT_xlxs.001

  • Size

    746KB

  • Sample

    240125-rk2wqaaafl

  • MD5

    51361d84cce41cae050d6b134f758355

  • SHA1

    c93b3153a15b7c873d51c9c0cfede656d77569d0

  • SHA256

    60c79090dd1ae506875ac4d40e82ad58209f866ad8c1bf539d7b539380daeff9

  • SHA512

    4def51b5b4adbd488932d8922e5fa63dc6048b78011987bd13fa6fc4296fc0731de8df73229879b5c64c4818ff5cbb52e76f748dcefb331a4fdd954dde71ca7a

  • SSDEEP

    12288:BR9cQgrziFmJxYNsVgfVYriXQykSaBNIwXKSy9xpPLNmG3E9miJ8Iy8F7:TFmiUJxYNMgNXQNfnICKx3bmGmbiIz

Score
10/10
formbookoa21persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oa21

Decoy

towinglyons.top

dunia-togel.xyz

alabnm.com

1stsole.com

uio3222d.store

little9.site

educationexperienced.com

tjautoline.com

twinzcreationzllc.com

sinsegoldenwolf.com

seeks6.studio

monetatowing.top

hqgroupiq.com

e8f4.com

mayasaccessoriesofficial.com

cribllc.us

homeremodelee.today

etl8ryc.site

danielbrennerreality.com

telcotechmelboure.store

Targets

    • Target

      STATEMENT OF ACCOUNT_xlxs.exe

    • Size

      888KB

    • MD5

      2a63c7d093ec7a63a4fabf61452e2206

    • SHA1

      501c0f22803da5b0ce77f915efac3567644c47ca

    • SHA256

      a51862c42a347c96969bb5e511b81d1beb31d50f850acf4fbf041087911c92f0

    • SHA512

      2bbfda19a986bec80b79beb33412fec220ab864ef15d3897a6e3e023e214a0fa7e0c4376d241476911ac5813571db1c07aa65aa8c00d62aaabdd668c5fe25a0f

    • SSDEEP

      12288:lRrzL0BkOhDPswBw4nP/CBx21t+TZY44s2WvbcWqOOav/qjqPaK:lJzpOLi4m0fCZsNWpOaHqDK

    Score
    10/10
    formbookoa21persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Deletes itself

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      0d7ad4f45dc6f5aa87f606d0331c6901

    • SHA1

      48df0911f0484cbe2a8cdd5362140b63c41ee457

    • SHA256

      3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

    • SHA512

      c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

    • SSDEEP

      192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6

    Score
    3/10
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks