Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

243979694b...18.exe

windows7-x64

7

243979694b...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    243979694b054a96137dac617876bcdb_JaffaCakes118

  • Size

    510KB

  • Sample

    240728-z242eavdkq

  • MD5

    243979694b054a96137dac617876bcdb

  • SHA1

    f9c429224a786fb11bb4e12a50823a1e7f035745

  • SHA256

    3566accfc4308a1d6b1a76c175664f4cbd7e0e542f323a252faf325b77bc8edf

  • SHA512

    29e03b97294dd4e30c68851c732a097b2cde0c1098aad5760a8ad2c80fabd6151feead15c2f48a12a3eee3266861a814bd3837af7e39144d7e376aa7ffdb3921

  • SSDEEP

    12288:458WhWmNEYOyFeMG9b/KxiCWom2pBm5ic6g6MmMrcIdsGC9:45dxNDE9bKxzWo0cWC9

Score
10/10
formbookdmncredential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dmn

Decoy

makemecookies.com

highlandseniorcare.com

artnowmedia.com

realmusicschool.com

daporn.pro

xn--meditaoevida-7bb9c.com

uniqueskinproducts.com

xmoncatto.com

shaloutuan.com

mixednotshaken.com

pulseslondonuk.com

bestkeptsecretportland.com

xpj888n.com

natureswayentertainment.net

alkhemilia.com

digitalguidebooks.com

greenglenhoa.com

yoursavvymoneyteen.com

andreaknightteacherauthor.com

deadcyber.com

Targets

    • Target

      243979694b054a96137dac617876bcdb_JaffaCakes118

    • Size

      510KB

    • MD5

      243979694b054a96137dac617876bcdb

    • SHA1

      f9c429224a786fb11bb4e12a50823a1e7f035745

    • SHA256

      3566accfc4308a1d6b1a76c175664f4cbd7e0e542f323a252faf325b77bc8edf

    • SHA512

      29e03b97294dd4e30c68851c732a097b2cde0c1098aad5760a8ad2c80fabd6151feead15c2f48a12a3eee3266861a814bd3837af7e39144d7e376aa7ffdb3921

    • SSDEEP

      12288:458WhWmNEYOyFeMG9b/KxiCWom2pBm5ic6g6MmMrcIdsGC9:45dxNDE9bKxzWo0cWC9

    Score
    10/10
    discoveryformbookdmncredential_accesspersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks