Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
25-05-2022 00:38
General
-
Target
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe
-
Size
1.3MB
-
MD5
289b643e1a46d2b8de76323db780b6cf
-
SHA1
ef7ff8a8a634319e57043a35a9c3a9aa062f8a93
-
SHA256
5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6
-
SHA512
6353d2a666d5b99d9e6e22cbe9fafb4a0640ade812c3c613bde47ceea612eefc5ef835051b88163edad7a8a49b861ee8847f5a663a9b1049b5578293ccb74a04
Malware Config
Extracted
quasar
1.4.0.0
Office
46.249.59.99:111
mz2wiNFAWq1HjJ2fUn
-
encryption_key
8DIs0SbdWcImnvHm2I9I
-
install_name
csrss.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
NET framework
-
subdirectory
SubDir
Signatures
-
Quasar Payload 6 IoCs
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
suricata: ET MALWARE Common RAT Connectivity Check Observed
suricata: ET MALWARE Common RAT Connectivity Check Observed
-
Drops startup file 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe"C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe"1⤵
- NTFS ADS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell [System.Threading.Thread]::GetDomain().Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\yVP').GetValue('GJW'));[Rkb]::eEyo('C:\Users\Admin\AppData\Local\Temp\5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe', 'QTEO', '5aa187357d7fd3e33f6f6780809f14f33d2808f8510d0c4ba63952c8574410e6.exe')2⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/964-59-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/964-68-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/964-66-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/964-64-0x000000000044940E-mapping.dmp
-
memory/964-63-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/964-62-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/964-61-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/964-58-0x0000000000400000-0x000000000044E000-memory.dmpFilesize
312KB
-
memory/1784-54-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB
-
memory/1796-55-0x0000000000000000-mapping.dmp
-
memory/1796-57-0x00000000746E0000-0x0000000074C8B000-memory.dmpFilesize
5.7MB