Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

1890c78a3c...c8.exe

windows7-x64

10

1890c78a3c...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/03/2025, 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe

  • Size

    436KB

  • MD5

    b2f6b9e3c10c59c3f0979f4c9b67c8ec

  • SHA1

    ae228cc40ec62a7a83fd4a5426462069e1bc40cf

  • SHA256

    1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8

  • SHA512

    a8ce45f33739726f25170d05fade6ecbcae9ecb13c4e4203b3fc75ad6c1cfedda812b90ddd1508b77b00618256f0e607eb91d4d11c32340e6dc545aed0a83852

  • SSDEEP

    3072:q0mx45LFnq9qDAuSbAXVkQUQ9oPfz0c0uxNUIqTkHoYCDfxj4/0/yjUuMx8kl:q0m2FqgDAuSbAXKfz0c0sUIJHk40/yWp

Score
10/10
blackmoonqqpassbankerdiscoverytrojan

Malware Config

Extracted

Family

qqpass

C2

http://lol.qq.com/act/a20141212poroking/index.htm?atm_cl=ctips&atm_pos=1257?ADTAG=media.innerenter.client.jump

Attributes
  • url

    http://i2.tietuku.com/ebdef15df1128b31.png

  • user_agent

    Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • QQpass

    QQpass is a trojan written in C++..

    trojanqqpass
  • Qqpass family
    qqpass
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe
    "C:\Users\Admin\AppData\Local\Temp\1890c78a3c93a98b369c10f6f3cd2de069d9ab456172b732a890c52a5546f3c8.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\Syslemqbabm.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemqbabm.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    cce0d6b6190cf17c199f4ddef9e1afb9

    SHA1

    7d1273eea354687bfeff833aea8b4f8857edaa15

    SHA256

    b093cf107c6f45018213fa6b684c3a70cdc3b1c74ba9eea1d5d53549ae7efd77

    SHA512

    d0d5cead8834e418ccc787ea74a7e80ec2328d630996b561617534a47c48d3c5ce780f137ee9879b766a8ba3323e6fea4769760fd1458f3f652cb9eef56b5436

    Download Submit

  • \Users\Admin\AppData\Local\Temp\Syslemqbabm.exe
    Filesize

    436KB

    MD5

    8e88d22eefbc2978d31c4ec6dfcd27fe

    SHA1

    02ae735d5435acc81590b06471871a1287c9196f

    SHA256

    477807543d0dd87133417efba1b483a972334ea34056ba537ddb139ef271a236

    SHA512

    55398bba82d486fde840208b24311e8073ad136ab0bc323228d01df9cd95abfbe05c5e867dfa50b9338f0fedfc0e8fc123969b9f53ad1e442d922408277352dc

    Download Submit