Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Trojan;MSIL.FormBook.AFO!MTB.zip

  • Size

    196KB

  • Sample

    240601-sykp2aff5w

  • MD5

    7b62401dd82be69f3f95f7883fc7e0d9

  • SHA1

    6adab9ef01fec2977a9c6cb3f6ff60b01fed124f

  • SHA256

    69811fd3a031d56a72428c7f3f74573b551c2dc9b5fb827fe6740a03eae55f31

  • SHA512

    faf526a594d2dec297072f66cb5db65b32f2313ffa5f2e25f66a85e40f51b1effcf1f40e02b2e62382275414c6acd3212b30d78855c3ce70f4bd54949840df15

  • SSDEEP

    6144:jHgkWXiqhrYVZCmZLZ5r8n2ys/xdbFqm2WJ:yX1hUbLZJ88PbMm2M

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://94.103.188.126/jerry/putty.zip

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

C2

192.168.1.2:1800

Mutex

DcRatMutex_qwqdanchun

Attributes
  • delay

    1

  • install

    false

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Version

AsyncRAT

Botnet

Fresh

C2

pepecasas123.net:4608

Mutex

AsyncMutex_5952

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Targets

    • Target

      New Text Document.exe

    • Size

      4KB

    • MD5

      a239a27c2169af388d4f5be6b52f272c

    • SHA1

      0feb9a0cd8c25f01d071e9b2cfc2ae7bd430318c

    • SHA256

      98e895f711226a32bfab152e224279d859799243845c46e550c2d32153c619fc

    • SHA512

      f30e1ff506cc4d729f7e24aa46e832938a5e21497f1f82f1b300d47f45dae7f1caef032237ef1f5ae9001195c43c0103e3ab787f9196c8397846c1dea8f351da

    • SSDEEP

      48:6r1huik0xzYGJZZJOQOulbfSqXSfbNtm:IIxcLpf6zNt

    • AsyncRat

      AsyncRAT is designed to remotely monitor and control other computers written in C#.

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

    • Suspicious use of SetThreadContext

    • Target

      Trojan;MSIL.FormBook.AFO!MTB.exe

    • Size

      329KB

    • MD5

      0b0d247aa1f24c2f5867b3bf29f69450

    • SHA1

      48de9f34226fd7f637e2379365be035af5c0df1a

    • SHA256

      a6e7292e734c3a15cfa654bba8dea72a2f55f1c24cf6bbdc2fd7e63887e9315a

    • SHA512

      56ee21ee4ab9ece7542c7f3068889b0b98aa7d73274b71682ab39be5cce42efda99830b12910908f06ccb99a83024ac3096108d132fd44cddf4e83191c145706

    • SSDEEP

      3072:Gn2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUeK:jE+yclwQKjdn+WPtYVJIoBfRT+tkH

    Score
    1/10
    • Target

      Пароли Chrome.csv

    • Size

      1KB

    • MD5

      64f50afb35dd16ee46f187015cee84ce

    • SHA1

      24f2fae82f8df4feda6f509641eee26ad1629fc6

    • SHA256

      c2d389870de77426a31a8c478e0fddcbbea7a3733b453806317914e6f946ea91

    • SHA512

      cb1f85b38cbed9ce1824b0bd6fb562619bf8a2498692e1b9d87a6f179c866f4c85ebf66dd9b29481fd2beb66a8598b8cc700ff5abbf66048cea05f45ced4dfa5

    Score
    1/10

MITRE ATT&CK Enterprise v15

Tasks