Overview

overview

10

Static

static

10

4e9e02f9b5...fa.exe

windows7_x64

10

4e9e02f9b5...fa.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe

  • Size

    348KB

  • MD5

    6e5fef5da8810aa3fffad5a486c68cf3

  • SHA1

    70f6507e9b2644fbcb75c78c6660dbdca4da5ef0

  • SHA256

    4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa

  • SHA512

    94dec0822aef151ec843732e9f13d550c59bb4575f8fff7822f5c2bf4d36854dc0c4061dbbcd6c2377aaac77ad86aa48092515fdc7388148e76db96f8417d027

Score
10/10
quasarsystemspywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

1.1.0.0

Botnet

System

C2

82.202.167.203:4444

Mutex

xTSR_MUTEX_JOBXsgj4pMGMmIDVNc

Attributes
  • encryption_key

    eu7tm2CUeFG5FGwJlQkW

  • install_name

    core.exe

  • log_directory

    logs

  • reconnect_delay

    3000

  • startup_key

    System Core

  • subdirectory

    system

Signatures

  • Quasar Payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe
    "C:\Users\Admin\AppData\Local\Temp\4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "System Core" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:4944
    • C:\Users\Admin\AppData\Roaming\system\core.exe
      "C:\Users\Admin\AppData\Roaming\system\core.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "System Core" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\core.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\system\core.exe
    Filesize

    348KB

    MD5

    6e5fef5da8810aa3fffad5a486c68cf3

    SHA1

    70f6507e9b2644fbcb75c78c6660dbdca4da5ef0

    SHA256

    4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa

    SHA512

    94dec0822aef151ec843732e9f13d550c59bb4575f8fff7822f5c2bf4d36854dc0c4061dbbcd6c2377aaac77ad86aa48092515fdc7388148e76db96f8417d027

    Download Submit
  • C:\Users\Admin\AppData\Roaming\system\core.exe
    Filesize

    348KB

    MD5

    6e5fef5da8810aa3fffad5a486c68cf3

    SHA1

    70f6507e9b2644fbcb75c78c6660dbdca4da5ef0

    SHA256

    4e9e02f9b59d580cee08f8f3e7804f7a8f8b12c93e027ba6fd211ac4815e98fa

    SHA512

    94dec0822aef151ec843732e9f13d550c59bb4575f8fff7822f5c2bf4d36854dc0c4061dbbcd6c2377aaac77ad86aa48092515fdc7388148e76db96f8417d027

    Download Submit
  • memory/4028-130-0x0000000000580000-0x00000000005DE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/4028-131-0x0000000005620000-0x0000000005BC4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4028-132-0x0000000004FA0000-0x0000000005032000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4028-133-0x0000000005170000-0x00000000051D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4028-134-0x0000000005DD0000-0x0000000005DE2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4028-135-0x00000000063F0000-0x000000000642C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4260-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4260-141-0x0000000007150000-0x000000000715A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4944-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4956-140-0x0000000000000000-mapping.dmp
    Download