Malware Analysis Report

2025-01-18 04:27

Sample ID 231206-lvgqmsde29
Target CF3E191984D67CC23E9801C1F34AEF0C.exe
SHA256 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53
Tags
quasar blackmoon office04 banker spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53

Threat Level: Known bad

The file CF3E191984D67CC23E9801C1F34AEF0C.exe was found to be: Known bad.

Malicious Activity Summary

quasar blackmoon office04 banker spyware trojan upx

Quasar payload

Detect Blackmoon payload

Quasar family

Quasar RAT

Blackmoon, KrBanker

Loads dropped DLL

UPX packed file

Executes dropped EXE

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-06 09:51

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-06 09:51

Reported

2023-12-06 09:53

Platform

win7-20231020-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 1364 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2416 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2416 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2416 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2388 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe

"C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

Network

Country Destination Domain Proto
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp

Files

memory/1364-0-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

MD5 97c8fe752e354b2945e4c593a87e4a8b
SHA1 03ab4c91535ecf14b13e0258f3a7be459a7957f9
SHA256 820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead
SHA512 af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

memory/1364-6-0x0000000000220000-0x0000000000234000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_4\shell.fne

MD5 d63851f89c7ad4615565ca300e8b8e27
SHA1 1c9a6c1ce94581f85be0e99e2d370384b959578f
SHA256 0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512 623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

memory/1364-10-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

memory/2388-14-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

memory/2820-20-0x0000000001170000-0x0000000001494000-memory.dmp

memory/2820-21-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

memory/2820-22-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2808-23-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2820-25-0x000007FEF58D0000-0x000007FEF62BC000-memory.dmp

memory/2820-26-0x000000001B200000-0x000000001B280000-memory.dmp

memory/2808-32-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2808-37-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-06 09:51

Reported

2023-12-06 09:53

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 4488 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 3092 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 3092 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 3864 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 3864 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe

"C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 67.175.53.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
JP 106.160.59.123:5468 tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 123.59.160.106.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

MD5 97c8fe752e354b2945e4c593a87e4a8b
SHA1 03ab4c91535ecf14b13e0258f3a7be459a7957f9
SHA256 820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead
SHA512 af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

MD5 d63851f89c7ad4615565ca300e8b8e27
SHA1 1c9a6c1ce94581f85be0e99e2d370384b959578f
SHA256 0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512 623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

memory/4488-9-0x0000000002320000-0x0000000002334000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

MD5 d63851f89c7ad4615565ca300e8b8e27
SHA1 1c9a6c1ce94581f85be0e99e2d370384b959578f
SHA256 0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512 623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

memory/4488-14-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

memory/1908-18-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4248-21-0x0000000000650000-0x0000000000974000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

memory/4248-23-0x00007FFF78C10000-0x00007FFF796D1000-memory.dmp

memory/4248-24-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

memory/4248-25-0x000000001B940000-0x000000001B990000-memory.dmp

memory/4248-26-0x000000001BA50000-0x000000001BB02000-memory.dmp

memory/4248-29-0x000000001B910000-0x000000001B922000-memory.dmp

memory/4248-30-0x000000001B9D0000-0x000000001BA0C000-memory.dmp

memory/1908-31-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4248-33-0x00007FFF78C10000-0x00007FFF796D1000-memory.dmp

memory/4248-34-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

memory/1908-39-0x0000000000400000-0x0000000000437000-memory.dmp