Analysis
-
max time kernel
135s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
12-03-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
Resource
win10v2004-en-20220113
General
-
Target
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe
-
Size
401KB
-
MD5
e514b9b328bcebbfafc9a9f9bded8324
-
SHA1
45e608a882de0a203ddde9ff5efa2b79ca48350c
-
SHA256
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff
-
SHA512
548698b0f45b5e080ea7a9903f51399290c11f9f31e3633351d48304ddba5363a1065a8f32114db124963827e902558cdab4f0ca9ca26b4ba118e46b16b4a703
Malware Config
Extracted
quasar
3.0
ZenoXpu
185.153.222.198:7845
HIFbOBRX8hIfqiy4wu
-
encryption_key
DQXvqTzM5uyODUsZK174
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2932-136-0x0000000000400000-0x000000000044E000-memory.dmp family_quasar behavioral2/memory/2932-142-0x0000000005600000-0x0000000005BA4000-memory.dmp family_quasar -
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
Executes dropped EXE 2 IoCs
Processes:
aspnet_compiler.exeaspnet_compiler.exepid process 772 aspnet_compiler.exe 2932 aspnet_compiler.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 33 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exedescription pid process target process PID 1684 set thread context of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exepid process 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe Token: SeDebugPrivilege 2932 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exedescription pid process target process PID 1684 wrote to memory of 772 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 772 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 772 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe PID 1684 wrote to memory of 2932 1684 857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe"C:\Users\Admin\AppData\Local\Temp\857e38c6089c96d19061c1df7b39a22d42b8962e065b6b652a8a3c2246c7bdff.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe2⤵
- Executes dropped EXE
PID:772 -
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeC:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2932
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
fda8c8f2a4e100afb14c13dfcbcab2d2
SHA119dfd86294c4a525ba21c6af77681b2a9bbecb55
SHA25699a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09
SHA51294f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
fda8c8f2a4e100afb14c13dfcbcab2d2
SHA119dfd86294c4a525ba21c6af77681b2a9bbecb55
SHA25699a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09
SHA51294f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18
-
C:\Users\Admin\AppData\Local\Temp\aspnet_compiler.exeMD5
fda8c8f2a4e100afb14c13dfcbcab2d2
SHA119dfd86294c4a525ba21c6af77681b2a9bbecb55
SHA25699a2c778c9a6486639d0aff1a7d2d494c2b0dc4c7913ebcb7bfea50a2f1d0b09
SHA51294f0ace37cae77be9935cf4fc8aaa94691343d3b38de5e16c663b902c220bff513cd02256c7af2d815a23dd30439582ddbb0880009c76bbf36ff8fbc1a6ddc18
-
memory/1684-134-0x0000000004CE0000-0x0000000004CFE000-memory.dmpFilesize
120KB
-
memory/1684-131-0x0000000074770000-0x0000000074F20000-memory.dmpFilesize
7.7MB
-
memory/1684-133-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/1684-130-0x00000000002E0000-0x000000000034A000-memory.dmpFilesize
424KB
-
memory/1684-132-0x0000000004D40000-0x0000000004DB6000-memory.dmpFilesize
472KB
-
memory/2932-140-0x00000000056A0000-0x0000000005732000-memory.dmpFilesize
584KB
-
memory/2932-139-0x0000000005BB0000-0x0000000006154000-memory.dmpFilesize
5.6MB
-
memory/2932-136-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/2932-141-0x0000000074770000-0x0000000074F20000-memory.dmpFilesize
7.7MB
-
memory/2932-142-0x0000000005600000-0x0000000005BA4000-memory.dmpFilesize
5.6MB
-
memory/2932-143-0x0000000005A50000-0x0000000005AB6000-memory.dmpFilesize
408KB
-
memory/2932-144-0x00000000067A0000-0x00000000067B2000-memory.dmpFilesize
72KB
-
memory/2932-145-0x0000000006BD0000-0x0000000006C0C000-memory.dmpFilesize
240KB
-
memory/2932-146-0x0000000006D90000-0x0000000006D9A000-memory.dmpFilesize
40KB