Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60

  • Size

    552KB

  • Sample

    241121-y565ha1ngl

  • MD5

    02d6a3b0f8437d346e9ac47c6e3c30db

  • SHA1

    6185990c7684ff45314341d2e8755bb165533308

  • SHA256

    a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60

  • SHA512

    f19c3652089ae32df42e1b2a04a0b6c56054c03d2c7997e9a81f5eb7f645ee9d64036e70e654086519d1dc200ae126a7877e0033d9568ab408be440d95e90373

  • SSDEEP

    12288:iq/y4yBO3/Zeis3jdciLS12l2SAWg9udOYOI5tw5fpDgg3u5JT:4z3jd3qpudOOChDggKJT

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ohi3

Decoy

itaewonbrunchbar.com

spectrosam.com

vanita-bavaria.net

kovrikydoma.store

tilthespire.com

aichuanghuan.com

healingyourbodynaturally.com

1790thirdavenue.com

zollogistics.com

inden-shop.com

fmhra.online

blenbigs.com

ofedward.com

efootball2021-eventpesmob.com

sutas-tr.com

ampersandcraftsuk.com

roofingcompaniestampa247.com

whwkjmhy4f.com

gngifts.com

bellezamarket.store

Targets

    • Target

      DOC09178236_20210922.exe

    • Size

      734KB

    • MD5

      38cb740b60d846d2a14a49021a10e164

    • SHA1

      6d1b170fb830773cb750944938f2ada14499fd07

    • SHA256

      d27692420e58cdd646e9a5bd19618387395ee4bc63d10bbe14fe3548e4546889

    • SHA512

      4a4a8f86e7fe559771d401766b4df2f9e194f670222156330f150d72677b92b353d27d8ab43aadd0facae1babc3603bf78bb6e714be559cd9e56294384bbc1ce

    • SSDEEP

      12288:hCmtiK5oKB2GisSjdcBL91Wl2sAzx9u7OSOI5ow5fpvgy2k:M+Fo62oSjd0nJw7OVChvgy2

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader family

    • Xloader payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks