Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
Trojan;MSIL.FormBook.AFO!MTB.zip
-
Size
196KB
-
Sample
240601-sykp2aff5w
-
MD5
7b62401dd82be69f3f95f7883fc7e0d9
-
SHA1
6adab9ef01fec2977a9c6cb3f6ff60b01fed124f
-
SHA256
69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31
-
SHA512
faf526a594d2dec297072f66cb5db65b32f2313ffa5f2e25f66a85e40f51b1effcf1f40e02b2e62382275414c6acd3212b30d78855c3ce70f4bd54949840df15
-
SSDEEP
6144:jHgkWXiqhrYVZCmZLZ5r8n2ys/xdbFqm2WJ:yX1hUbLZJ88PbMm2M
Static task
static1
Behavioral task
behavioral1
Sample
New Text Document.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
Trojan;MSIL.FormBook.AFO!MTB.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Пароли Chrome.csv
Resource
win10v2004-20240426-en
Malware Config
Extracted
http://94.103.188.126/jerry/putty.zip
Extracted
asyncrat
1.0.7
Default
192.168.1.2:1800
DcRatMutex_qwqdanchun
-
delay
1
-
install
false
-
install_folder
%AppData%
Extracted
asyncrat
AsyncRAT
Fresh
pepecasas123.net:4608
AsyncMutex_5952
-
delay
3
-
install
false
-
install_folder
%AppData%
Targets
-
-
Target
New Text Document.exe
-
Size
4KB
-
MD5
a239a27c2169af388d4f5be6b52f272c
-
SHA1
0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c
-
SHA256
98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc
-
SHA512
f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da
-
SSDEEP
48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-
-
-
Target
Trojan;MSIL.FormBook.AFO!MTB.exe
-
Size
329KB
-
MD5
0b0d247aa1f24c2f5867b3bf29f69450
-
SHA1
48de9f34226fd7f637e2379365be035af5c0df1a
-
SHA256
a6e7292e734c3a15cfa654bba8dea72a2f55f1c24cf6bbdc2fd7e63887e9315a
-
SHA512
56ee21ee4ab9ece7542c7f3068889b0b98aa7d73274b71682ab39be5cce42efda99830b12910908f06ccb99a83024ac3096108d132fd44cddf4e83191c145706
-
SSDEEP
3072:Gn2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUeK:jE+yclwQKjdn+WPtYVJIoBfRT+tkH
Score1/10 -
-
-
Target
Пароли Chrome.csv
-
Size
1KB
-
MD5
64f50afb35dd16ee46f187015cee84ce
-
SHA1
24f2fae82f8df4feda6f509641eee26ad1629fc6
-
SHA256
c2d389870de77426a31a8c478e0fddcbbea7a3733b453806317914e6f946ea91
-
SHA512
cb1f85b38cbed9ce1824b0bd6fb562619bf8a2498692e1b9d87a6f179c866f4c85ebf66dd9b29481fd2beb66a8598b8cc700ff5abbf66048cea05f45ced4dfa5
Score1/10 -