Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    Doc 07232412.bz

  • Size

    589KB

  • Sample

    240723-q7w4batbrr

  • MD5

    72e3353b16259f70d7b0238ed3b0e6ad

  • SHA1

    f5a403f1e3b53f5810e3e1be6897b568cb3d6a52

  • SHA256

    dc5979d64d9ea41f929d14f4ca02dd29f5dac9c77b3e5584ad076d2f87b82704

  • SHA512

    527798d5549787baec0287154f3ca92bd2fdb2389f7846936aaca5facdb1a17398466954039e244168639aa08edba56080da060c851e0a90aaec9062418702d4

  • SSDEEP

    12288:aVtWFShMR3m+6ws68REMnV1435a+UlgNrO/AuMJsnEc2Q8qpW8cE:aVM3R3m+6wsvKMnVwcqY/2jdQhcE

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

by21

Decoy

digitalillusions.net

changeblue25.com

kitchenwoow.com

grupocontigoalimentacion.com

iranabr.com

embodiedmagic.com

superstoreszone.com

apartments-for-rent-46883.bond

kelbagnole.com

rideskratchlab.com

a06kng.club

saddlebredallstars.xyz

filepd.com

kxetdf.asia

dl39yy.com

jackedsearch.com

exodusprofessionaldetailing.com

ecommerce-40144.bond

uh3b94g3pyczi9t.skin

dcmcc635i.xyz

Targets

    • Target

      Doc 07232412.exe

    • Size

      637KB

    • MD5

      d44cbc7808ef4ca0e9007ed7812ac54c

    • SHA1

      3562886c50d64e72079e0bad936c065027acb6f1

    • SHA256

      eb9de075c6c5ac3dae5ec163fe9d8abeccf9edc3bdeed05364dcacf64c9550d2

    • SHA512

      6c256b5c66177a5dee6bc769c8fa782834feefdc584beeb503f89e0cedbc23a88dd98976774f0839765efeb137b1a87ffb71ff36659e560777f33601340816f4

    • SSDEEP

      12288:WdwwoIc0QIH2j0ocLX6NBxa3+SYOhAbp8FCTzcDxuN+wsv5/s2cxkOxW/t+BA:WywoIc0QIH2EiBcPQTTzIuN+vv5ixW/e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks