Overview

overview

10

Static

static

262c4b94a1...da.exe

windows7_x64

10

262c4b94a1...da.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 09:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe

  • Size

    299KB

  • MD5

    bb73586cedd8767a216880ba2a7c7750

  • SHA1

    84a6c6c4908088349d5042f1a57374df7a8469f1

  • SHA256

    262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada

  • SHA512

    721bf82d3dfc0b2943283c7c8c4bac7afe54e4e2d1772cf27a254e5bbb6bb89d9dd5c2464a026de8d838d455187cfac0a0864d7ec8d77273d96a4ba92afb07cd

Score
10/10
quasarceospywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

worldwide567678.zapto.org:1714

Mutex

Hroy95BxsKwWGMw1fF

Attributes
  • encryption_key

    xFdMg8u08utwhtKUrD9B

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe
    "C:\Users\Admin\AppData\Local\Temp\262c4b94a1c528e8363f05beb57b03783ae33d61b3fa2ad4e7815d70d9781ada.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4528
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u00maeid\u00maeid.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92AB.tmp" "c:\Users\Admin\AppData\Local\Temp\u00maeid\CSC2E4510627336409AA024B5817B525D38.TMP"
        3⤵
          PID:3972
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3144
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lX9jKYmvXL9d.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4140
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            4⤵
              PID:1584
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:2708
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              4⤵
                PID:2156
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3144 -s 2260
              3⤵
              • Program crash
              PID:4212
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3144 -ip 3144
          1⤵
            PID:1096

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\RES92AB.tmp
            Filesize

            1KB

            MD5

            8c130df6fe91eb0a70978f23b1a3534d

            SHA1

            fae2ab2f5bee79c6cbf46cb7e2d7c279405d2444

            SHA256

            be49acc826bf1c2a20eb96d8cb6c4ce21377ec339d15e6eb299a922b815e357d

            SHA512

            1b39d2e7de61e3fad50048adebb1e84f9d58c4a5663ef8ac3b7b275b41941b34f5a3430ce02660ead9bbc976eebf1945966cbe51862352d919db1a08ce13f71b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\lX9jKYmvXL9d.bat
            Filesize

            215B

            MD5

            8f5a05fa4968d67476bf8d3173160985

            SHA1

            30ee6878cb6beaa2cbc8213d93410af035712c95

            SHA256

            4a9eabec7e5a02b3a2029a0f57b4346d6a2d37503edaf32db6f8ff26ba4c51bc

            SHA512

            7fd1df7197c3061e5dea2ba3cfb7b6b3460a285950d1a4f9b220045f7f6526c85c7f958b5d8ddcc0c3073ca06ee450ae1ae65ce716be3434f8fd4489506b3fe6

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\u00maeid\u00maeid.dll
            Filesize

            6KB

            MD5

            69f382f7d9f90f3cf35ce3772ae13173

            SHA1

            a1d80d6e4a66f5cd1b139f4891c672a5e26497a8

            SHA256

            73b595aa2c273168aa9b43fe54b059fd9a15c07e2685fade972861731e1d69c5

            SHA512

            f4aaeff395ff966ec843d66d738b55ae69cf147fb68bb4d57c6c8ac2d5700162a20fc3365575d0f2084566b3a690fbca16726fbb43a85b103010979670dc45d0

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\u00maeid\u00maeid.pdb
            Filesize

            15KB

            MD5

            09b54b40b3a9cdd7ef82231db4839d94

            SHA1

            551e81dd898dc4ab2014aa50c189d5bd703376fc

            SHA256

            453377cab90cf19a2df6eadaf98a2fc6e276a39698346497a74524d4f146b4ba

            SHA512

            7b32edb65fff2444a172edc295eb629ca70804e0cb2c756deae587ae08fe1b299f485739576320f021c089e3c9c708a83c0ca644b3324d514d0c3e8d2f0559d6

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\u00maeid\CSC2E4510627336409AA024B5817B525D38.TMP
            Filesize

            1KB

            MD5

            beae744106e25464bcb1627c605307a0

            SHA1

            7dd7819b997aeb5e7737feed6cc51d471434a853

            SHA256

            846c98da824cd488f53fb14fd480c42f5d8ac806f7aafeed87af082430573a10

            SHA512

            233a4e76731006ea48ca04d050ded096deed0b8c5c35eda1d5e22f7569a7fa92b1a6fb702f1b0fb2392b9f5535c96c147a52ee0347fbd60ca8911bab484ee718

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\u00maeid\u00maeid.0.cs
            Filesize

            2KB

            MD5

            3bb7bebdb89f1c2f229090bb605bc82e

            SHA1

            325c1d845f3f4d9d017905ca53aad651321579f4

            SHA256

            a70f9fa875053a6b74d21076d401a7c37dc2942a76882efebe4d08468634dc75

            SHA512

            e733d4d7b3c4684e96a9c1c40c78fea193f9d780fed4320409b6d3dc1ff828436a7b323921bb5209c0814e3bb43580024f15ab51aa8e58cc4bf01c8ddd9297bf

            Download Submit
          • \??\c:\Users\Admin\AppData\Local\Temp\u00maeid\u00maeid.cmdline
            Filesize

            312B

            MD5

            95cf2a165f835395b98f0cdb6ae3b0fd

            SHA1

            bc5c92bef53a2089658c212d4e0c45b84583555b

            SHA256

            8bd9ac7fa8043f99822fbef4b8adc7fffff149c8b1363c9c3af5e5f5e6631b85

            SHA512

            6d118530cf3dc8f54cf01f3a6569144a389476b155ba721f88d2f4729d26b09d1da025f208c7e7802ae46cd27f759f637191bb93ea50e2fe5ff42525c28827ee

            Download Submit
          • memory/1584-150-0x0000000000000000-mapping.dmp
            Download
          • memory/2156-153-0x0000000000990000-0x00000000009A2000-memory.dmp
            Filesize

            72KB

            Download
          • memory/2156-152-0x0000000000000000-mapping.dmp
            Download
          • memory/2708-151-0x0000000000000000-mapping.dmp
            Download
          • memory/3144-142-0x0000000000400000-0x000000000044E000-memory.dmp
            Filesize

            312KB

            Download
          • memory/3144-143-0x0000000005A30000-0x0000000005FD4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3144-144-0x0000000005710000-0x0000000005776000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3144-145-0x0000000006360000-0x0000000006372000-memory.dmp
            Filesize

            72KB

            Download
          • memory/3144-146-0x0000000006780000-0x00000000067BC000-memory.dmp
            Filesize

            240KB

            Download
          • memory/3144-147-0x0000000006B10000-0x0000000006B1A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/3144-141-0x0000000000000000-mapping.dmp
            Download
          • memory/3972-134-0x0000000000000000-mapping.dmp
            Download
          • memory/4140-148-0x0000000000000000-mapping.dmp
            Download
          • memory/4448-131-0x0000000000000000-mapping.dmp
            Download
          • memory/4528-130-0x0000000000210000-0x0000000000260000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4528-140-0x0000000005120000-0x00000000051BC000-memory.dmp
            Filesize

            624KB

            Download
          • memory/4528-139-0x0000000004AA0000-0x0000000004B32000-memory.dmp
            Filesize

            584KB

            Download