Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    1a8405145d24e58e084622d9555adc31a48d6bb4e0b936cd39e5e1f2d0c01e41.exe

  • Size

    3.4MB

  • Sample

    241226-pjqqysvrgq

  • MD5

    bf3f8fc2bb8adbba37f1aa607f3c5b29

  • SHA1

    4c6f7a6d90877d0d235c3f702b572d2efa1fb761

  • SHA256

    1a8405145d24e58e084622d9555adc31a48d6bb4e0b936cd39e5e1f2d0c01e41

  • SHA512

    3040f6512202102e602c0ffd4d1523aa0d948fb8119d9d5fa54644957e3888c1a1083abefc0b42e396bf043ea2e93afbb1fcbfd242cdf2117582d046c7ffb977

  • SSDEEP

    49152:9bYwIkppisrPa0PsK+JLdIunIuycK+JLrE48Z5IjrqY8/wZ8VJ9y9EU:yciKsK+JLdIu9K+JLI48Z5IjrqVJy9x

Malware Config

Targets

    • Target

      1a8405145d24e58e084622d9555adc31a48d6bb4e0b936cd39e5e1f2d0c01e41.exe

    • Size

      3.4MB

    • MD5

      bf3f8fc2bb8adbba37f1aa607f3c5b29

    • SHA1

      4c6f7a6d90877d0d235c3f702b572d2efa1fb761

    • SHA256

      1a8405145d24e58e084622d9555adc31a48d6bb4e0b936cd39e5e1f2d0c01e41

    • SHA512

      3040f6512202102e602c0ffd4d1523aa0d948fb8119d9d5fa54644957e3888c1a1083abefc0b42e396bf043ea2e93afbb1fcbfd242cdf2117582d046c7ffb977

    • SSDEEP

      49152:9bYwIkppisrPa0PsK+JLdIunIuycK+JLrE48Z5IjrqY8/wZ8VJ9y9EU:yciKsK+JLdIu9K+JLI48Z5IjrqVJy9x

    • Blackmoon family

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • Adds policy Run key to start application

    • Disables RegEdit via registry modification

    • Drops file in Drivers directory

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops autorun.inf file

      Malware can abuse Windows Autorun to spread further via attached volumes.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks