Overview

overview

10

Static

static

857e38c608...ff.exe

windows7_x64

10

857e38c608...ff.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294194s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    12-03-2022 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe

  • Size

    401KB

  • MD5

    e514b9b328bcebbfafc9a9f9bded8324

  • SHA1

    45e608a882de0a203ddde9ff5efa2b79ca48350c

  • SHA256

    857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff

  • SHA512

    548698b0f45b5e080ea7a9903f51399290c11f9f31e3633351d48304ddba5363a1065a8f32114db124963827e902558cdab4f0ca9ca26b4ba118e46b16b4a703

Score
10/10
quasarzenoxpuspywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.0

Botnet

ZenoXpu

C2

185.153.222.198:7845

Mutex

HIFbOBRX8hIfqiy4wu

Attributes
  • encryption_key

    DQXvqTzM5uyODUsZK174

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar Payload 5 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
    "C:\Users\Admin\AppData\Local\Temp\857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
      C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
      2⤵
      • Executes dropped EXE
      PID:1612
    • C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
      C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1984

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
    MD5

    1e98e92a982af948ee18ee819a2d8ad1

    SHA1

    6cb0bd87815118351e5e32c50b434079dfba255c

    SHA256

    235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

    SHA512

    6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
    MD5

    1e98e92a982af948ee18ee819a2d8ad1

    SHA1

    6cb0bd87815118351e5e32c50b434079dfba255c

    SHA256

    235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

    SHA512

    6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
    MD5

    1e98e92a982af948ee18ee819a2d8ad1

    SHA1

    6cb0bd87815118351e5e32c50b434079dfba255c

    SHA256

    235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

    SHA512

    6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
    MD5

    1e98e92a982af948ee18ee819a2d8ad1

    SHA1

    6cb0bd87815118351e5e32c50b434079dfba255c

    SHA256

    235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

    SHA512

    6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\aspnet_compiler.exe
    MD5

    1e98e92a982af948ee18ee819a2d8ad1

    SHA1

    6cb0bd87815118351e5e32c50b434079dfba255c

    SHA256

    235d3f96a78ce2dad584e6eb1a25fc386b3ae5e332c4d3c56f03b0a4978be778

    SHA512

    6711de2e00462c49852cee03fd8ef720310c4ffa5b3a653c08f2913a6146974f28b8a3b3ff38b3097310852a5aa3b964b77945bcefef3856911eb9acd0e42c6f

    Download Submit

  • memory/1336-55-0x0000000074170000-0x000000007485E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1336-56-0x0000000000500000-0x0000000000508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1336-57-0x00000000048B0000-0x00000000048B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1336-58-0x00000000006F0000-0x000000000072C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1336-54-0x0000000000F30000-0x0000000000F9A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/1984-62-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-68-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-70-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-66-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-75-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-73-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-64-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1984-77-0x0000000074170000-0x000000007485E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1984-78-0x0000000002180000-0x0000000002181000-memory.dmp

    Filesize

    4KB

    Download