Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

4e41422bb2...e1.exe

windows7-x64

10

4e41422bb2...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    300s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1.exe

  • Size

    366KB

  • MD5

    355d2ded45a14353d8f45b36d2ba98ee

  • SHA1

    caefd74e1104c5f5ffa0d375c043b5974195692c

  • SHA256

    4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1

  • SHA512

    d0f239398b6f33c38d158603ed558ac9f78bd605e04c76835cfbf96299022989c0a7401218a0332c7ac9b74e1dd9b4c6dcc31f342465994b82aad098fa6ca580

  • SSDEEP

    6144:BSfSHl+gv5gY1F53Aul/Egv4+E6qnwEGvIkJ7G9P1w:B2SHl+gv5gY1b5Eo4+EsEEIkJ7G9P1w

Score
10/10
blackmoonbankerdiscoverytrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1.exe
    "C:\Users\Admin\AppData\Local\Temp\4e41422bb2b4d06ee9d73a82ddb4bb23d2a57d76f4a04d8fae29293ec3a309e1.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4184
    • C:\Users\Admin\AppData\Local\Temp\Syslemybnsb.exe
      "C:\Users\Admin\AppData\Local\Temp\Syslemybnsb.exe"
      2⤵
      • Deletes itself
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Syslemybnsb.exe
    Filesize

    366KB

    MD5

    bd6e73bad7ea33494f945d8523791417

    SHA1

    56fccb460b1c356c9b6b17695a6984d69767ab2b

    SHA256

    9e393d0d6c48e967d5c2df408640135002198da8fcdb1a48ec9ea7ca4f0fcec1

    SHA512

    a84de8a85e3fc29337a0b9abc1d3bacc01dd9dfde3572fd164f3b25065f6805afcf5936ebc729275c6d94992db95184f4b021b8cb248e62e8d17101bd75eeb28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lpath.ini
    Filesize

    102B

    MD5

    039e2e82d3f5b880f6e375c8501dfd05

    SHA1

    4a7034365c968f40f105004af27c957f90af0536

    SHA256

    c3af00f04ce5844b8a5d1dc164b54ff6e13aa59897cf90afecac745c68c645fa

    SHA512

    3a09257f070bb5e19783e6cc2e79e1a6a11f542c569b374663777ed69bcb0b643f3d5b1cc96d5ee0df9e62c9bac6d74a41a028e6ff47568a4656165041a8080a

    Download Submit