Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

0cbaefa900...b1.exe

windows7-x64

10

0cbaefa900...b1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 12:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0cbaefa900f08c2844a65456c26385770ba32ecfdfe4ad1e774aa63538b5d2b1.exe

  • Size

    838KB

  • MD5

    103834076a9658b0ba07bf9c9232adf1

  • SHA1

    15f34d001fb89348ec3f81b7e8586c6145f019e9

  • SHA256

    0cbaefa900f08c2844a65456c26385770ba32ecfdfe4ad1e774aa63538b5d2b1

  • SHA512

    ba7452f4937c72f4ef4758d987905c9e45f092ce454857c55b9946768571505c8e42668c7d115169f75d5b82fadc15b08921efbffa1c3566039081760714b306

  • SSDEEP

    12288:qdoKggb2iNdvpc++AWUsci/n0K947D/G91k0MuXAzHBaUe0DkgYrRM2TgN/0s:6oKgK1XpSRUUjK/u7Mua27gi

Score
10/10
formbookp94adiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

wishgrove.com

parqueveiculos.com

spiderwebs.online

chulkanadham.com

cdtuan.net

zxazm.com

payment6528832.xyz

fengtaiol.com

bffsmovie.com

aliceseagerfitness.com

garisluruskonsulindo.website

analytical-gutter.net

ahcq8.com

fenyoga.com

ecleptic.cat

conjurecrafts.com

aquaway.date

apenpokkenschoonmaakbedrijf.com

zgramr.top

boweknives.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0cbaefa900f08c2844a65456c26385770ba32ecfdfe4ad1e774aa63538b5d2b1.exe
    "C:\Users\Admin\AppData\Local\Temp\0cbaefa900f08c2844a65456c26385770ba32ecfdfe4ad1e774aa63538b5d2b1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2968
    • C:\Users\Admin\AppData\Local\Temp\0cbaefa900f08c2844a65456c26385770ba32ecfdfe4ad1e774aa63538b5d2b1.exe
      "C:\Users\Admin\AppData\Local\Temp\0cbaefa900f08c2844a65456c26385770ba32ecfdfe4ad1e774aa63538b5d2b1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1264

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    71.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    71.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    134.130.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    134.130.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    71.159.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    71.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    134.130.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    134.130.81.91.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1264-14-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1264-18-0x00000000013A0000-0x00000000016EA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1264-17-0x00000000013A0000-0x00000000016EA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2968-8-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2968-10-0x0000000007290000-0x0000000007306000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2968-5-0x0000000005550000-0x000000000555A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2968-6-0x0000000005A80000-0x0000000005AA4000-memory.dmp

    Filesize

    144KB

    Download

  • memory/2968-7-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-0-0x0000000074D8E000-0x0000000074D8F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2968-9-0x00000000070F0000-0x00000000070FC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2968-4-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2968-11-0x00000000073B0000-0x000000000744C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2968-12-0x0000000007450000-0x00000000074B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2968-13-0x0000000007340000-0x0000000007376000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2968-3-0x00000000055B0000-0x0000000005642000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2968-16-0x0000000074D80000-0x0000000075530000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2968-2-0x0000000005AC0000-0x0000000006064000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2968-1-0x0000000000A70000-0x0000000000B48000-memory.dmp

    Filesize

    864KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.