Overview

overview

10

Static

static

33c50b2ae8...6d.exe

windows7_x64

10

33c50b2ae8...6d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-06-2022 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe

  • Size

    295KB

  • MD5

    e8a1026d6d025f281c596870fc1185ad

  • SHA1

    28e9f6bd76e161dab22829b3bff2af740de05ab1

  • SHA256

    33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d

  • SHA512

    54ddb682f7b36aa6a514e391d296771a8c5f235e4de680d1a84961fe12b46ebd3bb83a9f775fcfe031db305d332b6db4669b12d55e284d178eb0d9bd859fca73

Score
10/10
quasarrevengeratceospywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

198.46.235.194:1417

Mutex

Hzd5ohpHyz0j9jlmB2

Attributes
  • encryption_key

    jKwpd9T86gptPthTAlIq

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar Payload 7 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • RevengeRAT

    Remote-access trojan with a wide range of capabilities.

    trojanrevengerat
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe
    "C:\Users\Admin\AppData\Local\Temp\33c50b2ae8165306ced86dd1dc8e97aef377d1cb4b1297dec91940489a580d6d.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f0lqa3qw\f0lqa3qw.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1612
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2A0.tmp" "c:\Users\Admin\AppData\Local\Temp\f0lqa3qw\CSC7A36F066214C464CBDED3C72F789FBBA.TMP"
        3⤵
          PID:1716
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1392

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES2A0.tmp
      Filesize

      1KB

      MD5

      2b3ff1319c4f3d84f6c1c9cf7f151a93

      SHA1

      ea6bc9d8bd7d0ff551872fa7427489ca85c2e0af

      SHA256

      98bc878f4e2eebef7557939e91c47b520ccddf79b929db07ee4fac96fa1a498e

      SHA512

      dff7800cccd94aaddcef218681343b61fdc0a1eadfd48e1a0e5f94767f7a9c8c90a2fa2cd266be83a04509a6ca9f4e27c981fa4e1b1431e876de0b0fd2b0ac8b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\f0lqa3qw\f0lqa3qw.dll
      Filesize

      7KB

      MD5

      d5a42e4e8acfdc96f197780b2dc13b58

      SHA1

      44f881a7810c86ea4cf51dcd2fa1de7e1324f166

      SHA256

      75a35134685dd88cf733a4cf2680eaeaf37fb2db2013d703fcf6b8ddb6c8a101

      SHA512

      77ec87499b6d1e2cb8fd83dfd32d8bbbe613b6e55e82cb97069e4b534aaa082168952d0859e1c736d9f27cef02f355be3b0ec702b06e40d42cbbd12f559f4cfa

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\f0lqa3qw\f0lqa3qw.pdb
      Filesize

      23KB

      MD5

      25cd17efd3514ac04bdad6be7ff0f123

      SHA1

      c1e2a66c6fdcd396426add55f8bf63a4daef79d3

      SHA256

      07dda8c2db75e498374f806f0c1c5fe7647a015e82bd2f8f4d151273bee3718a

      SHA512

      0bfd7479c0e654acd6bf23c2b4e07ca97e8e9840ab9138c4ada338329881b4c147ae268313f78b1541bbbda09d5f0d885d31845a3d8ab1624411d76fcfcbcda1

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\f0lqa3qw\CSC7A36F066214C464CBDED3C72F789FBBA.TMP
      Filesize

      1KB

      MD5

      81a879a4f053f6785982303c385decfb

      SHA1

      f2825da898e3632e929d64b5c1c8f720125b72e9

      SHA256

      f54dd81d428cef0d956d60bf3b570e39eb30c3833c6550e22750162219af69b7

      SHA512

      601a60565da81e79bad51f18b5c9ccfffac523f3b9e6896d568505957e2c263a23f4db2678082c9e768531f053ae14fe4f09cce0dbbcc93f44831395953f628a

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\f0lqa3qw\f0lqa3qw.0.cs
      Filesize

      5KB

      MD5

      f939f60f0db703b692cd555a84dfd229

      SHA1

      875432a66f869526586a2d2cff57a219f113402e

      SHA256

      5fe14a6f96e8cc897dc037a881b86eab33d0f375e2b2580409ad70676326f036

      SHA512

      dc0a5206df64daafa7f6c30eb33cfe48cb975991c7b0409c7f3bcc2232087ce128b8762aae15c4fbb0b5da7dd3e7d26cd7f1cb3c547c088e827744192f20f04f

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\f0lqa3qw\f0lqa3qw.cmdline
      Filesize

      312B

      MD5

      da70107b6a77e22ae52fde16e73ff381

      SHA1

      db2d01b898761a057d954b27da18af5060034696

      SHA256

      854cec1e45b4e5c22d3d4e13104266b3564ca3bbbf0b4f176a874b0c810f068c

      SHA512

      a60ffee1ba3bc08a800a629bfed1573d6636ee19c46c8cd5f5d594ec90a89b0ad40c1c97cb987f44fcba822d842cd06f60bcc9f70201fba803db6d2dd27d531e

      Download Submit
    • memory/1392-72-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1392-71-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1392-76-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1392-78-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1392-68-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1392-74-0x000000000044943E-mapping.dmp
      Download
    • memory/1392-69-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1392-73-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1612-55-0x0000000000000000-mapping.dmp
      Download
    • memory/1716-58-0x0000000000000000-mapping.dmp
      Download
    • memory/1928-64-0x0000000004C30000-0x0000000004C88000-memory.dmp
      Filesize

      352KB

      Download
    • memory/1928-54-0x0000000000140000-0x0000000000190000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1928-67-0x0000000001EE0000-0x0000000001F2E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1928-66-0x0000000074E91000-0x0000000074E93000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1928-65-0x0000000001CC0000-0x0000000001CCC000-memory.dmp
      Filesize

      48KB

      Download
    • memory/1928-63-0x0000000000370000-0x0000000000378000-memory.dmp
      Filesize

      32KB

      Download