Malware Analysis Report

2025-01-18 04:25

Sample ID 231207-ybq67agc3x
Target e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe
SHA256 e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53
Tags
blackmoon quasar office04 banker spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53

Threat Level: Known bad

The file e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe was found to be: Known bad.

Malicious Activity Summary

blackmoon quasar office04 banker spyware trojan upx

Blackmoon, KrBanker

Quasar payload

Quasar RAT

Detect Blackmoon payload

Quasar family

Executes dropped EXE

Loads dropped DLL

UPX packed file

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-07 19:36

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 19:36

Reported

2023-12-07 19:39

Platform

win7-20231023-en

Max time kernel

142s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2384 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2968 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2968 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2968 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2968 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe

"C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

Network

Country Destination Domain Proto
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp

Files

memory/1580-0-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

MD5 97c8fe752e354b2945e4c593a87e4a8b
SHA1 03ab4c91535ecf14b13e0258f3a7be459a7957f9
SHA256 820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead
SHA512 af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

\Users\Admin\AppData\Local\Temp\E_4\shell.fne

MD5 d63851f89c7ad4615565ca300e8b8e27
SHA1 1c9a6c1ce94581f85be0e99e2d370384b959578f
SHA256 0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512 623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

memory/1580-6-0x0000000000300000-0x0000000000314000-memory.dmp

memory/1580-10-0x0000000000400000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

memory/2968-15-0x0000000000160000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

memory/2968-19-0x0000000000160000-0x0000000000197000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

memory/2612-21-0x0000000000180000-0x00000000004A4000-memory.dmp

memory/2612-22-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2612-23-0x0000000000940000-0x00000000009C0000-memory.dmp

memory/2624-24-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2968-25-0x0000000000160000-0x0000000000197000-memory.dmp

memory/2612-27-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

memory/2612-28-0x0000000000940000-0x00000000009C0000-memory.dmp

memory/2624-33-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2624-40-0x0000000000400000-0x0000000000437000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 19:36

Reported

2023-12-07 19:39

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"

Signatures

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 4020 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe C:\Windows\SysWOW64\cmd.exe
PID 3736 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 3736 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 3736 wrote to memory of 2168 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
PID 2128 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe
PID 2128 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe

"C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

C:\Users\Admin\AppData\Local\Temp\\Client-built.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 186.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
JP 106.160.59.123:5468 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 80.127.58.23.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
JP 106.160.59.123:5468 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
JP 106.160.59.123:5468 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
JP 106.160.59.123:5468 tcp
JP 106.160.59.123:5468 tcp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp
JP 106.160.59.123:5468 tcp

Files

memory/4020-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

MD5 97c8fe752e354b2945e4c593a87e4a8b
SHA1 03ab4c91535ecf14b13e0258f3a7be459a7957f9
SHA256 820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead
SHA512 af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

MD5 d63851f89c7ad4615565ca300e8b8e27
SHA1 1c9a6c1ce94581f85be0e99e2d370384b959578f
SHA256 0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512 623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

memory/4020-9-0x00000000021C0000-0x00000000021D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

MD5 d63851f89c7ad4615565ca300e8b8e27
SHA1 1c9a6c1ce94581f85be0e99e2d370384b959578f
SHA256 0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d
SHA512 623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

memory/2168-16-0x0000000000400000-0x0000000000437000-memory.dmp

memory/4020-17-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

MD5 4581d8db596f027233f51dab3764d4b4
SHA1 b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b
SHA256 5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05
SHA512 6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

MD5 90f02d102a066c61308c4007f7381349
SHA1 e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09
SHA256 c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4
SHA512 e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

memory/1460-22-0x0000000000150000-0x0000000000474000-memory.dmp

memory/1460-23-0x00007FFE93A60000-0x00007FFE94521000-memory.dmp

memory/1460-24-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/1460-25-0x000000001B0E0000-0x000000001B130000-memory.dmp

memory/2168-26-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1460-27-0x000000001B5A0000-0x000000001B652000-memory.dmp

memory/1460-29-0x00007FFE93A60000-0x00007FFE94521000-memory.dmp

memory/1460-30-0x000000001B2D0000-0x000000001B2E0000-memory.dmp

memory/2168-34-0x0000000000400000-0x0000000000437000-memory.dmp