Overview

overview

10

Static

static

382204c078...e3.exe

windows7_x64

10

382204c078...e3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 21:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe

  • Size

    337KB

  • MD5

    8674e8fd878a92e92a479b931235bb72

  • SHA1

    dfc652402b4791b81379326b0881cd0a2e613169

  • SHA256

    382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3

  • SHA512

    6d36b398d1f964b3b2f0ce5fdd1a0a04e7997b8fa8295912f31d4e26a50dee75197303df34d92915fa5bb57a5df4d486dcff7d312bd5064425cd27218b4e094c

Score
10/10
quasarceospywaresuricatatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

CEO

C2

23.249.161.211:1714

Mutex

ymuFePGjPK2s7dyOvO

Attributes
  • encryption_key

    H5mirEGEuwM1G7u6Z7Pb

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar Payload 1 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata: ET MALWARE Common RAT Connectivity Check Observed

    suricata
  • Drops startup file 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe
    "C:\Users\Admin\AppData\Local\Temp\382204c078672bfae8b2c7f123e7cd735c3dd428f49446817973820cb0f2e5e3.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\13atz3bm\13atz3bm.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9520.tmp" "c:\Users\Admin\AppData\Local\Temp\13atz3bm\CSCFCE88940FCC5434CB46173CA38AF183F.TMP"
        3⤵
          PID:5036
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2352

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\13atz3bm\13atz3bm.dll
      Filesize

      7KB

      MD5

      d77025a2b00a88e2e92e6fb2c58a21dc

      SHA1

      4caa7a512cc774adaac25dddaeed11d5d7af856f

      SHA256

      28639096a03ad611411333b9c6d1d1bba49f71d553a71ae253efdd9d66cc2520

      SHA512

      82f59991867d3cee0a86d443ff8ebcb939e6c0dd87b3eed1bd8c0070043043b832df9f3b198ae085324c8ee596d5f962eab3f3a07df5fbe67c3eb6c83311b018

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\13atz3bm\13atz3bm.pdb
      Filesize

      23KB

      MD5

      e550984d1f58fedbf75104dbd5ef65c6

      SHA1

      23a7d9033394674a045c134dfa4deb491638cf40

      SHA256

      3acb0ea0cac1ae64194c5d15cc12b25cc7fe6aa47e3e436ef76ef5bfc717dbc7

      SHA512

      ef01165459161365b26e5ed799aa11152e099a8e8dcaf9979f5eda86270484f0ace81af437d84cfd8dfdc372a35beaf2e295dc021f26e255871ead6f040c55e5

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\RES9520.tmp
      Filesize

      1KB

      MD5

      f4fa3c8d493cf5512dc6c749fdc42a00

      SHA1

      7eb89e2a9c185c602926ad055cb91854c14ccea2

      SHA256

      49e65d5a4d3af8a13e80eacff9d6eb9e28fb418d9ae2faacdc0261428a738a72

      SHA512

      3646a3f698fc38d98d31041ec19213aec5bfae32905b6c27adbebaab5158c4c16a86960afb833f694561453feb9e8954761a53e94b20eca520e7ca8c28daa4a3

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\13atz3bm\13atz3bm.0.cs
      Filesize

      5KB

      MD5

      1270db283d14131c79bfa21e6bd37dec

      SHA1

      fc867965ea8a68a2486f1d41a2ab85a92c665ed2

      SHA256

      be757d33334bc1f1a8b642c0bda3c20d027bd9de014e17b1f5811b430d7262dd

      SHA512

      73d888e7252a3e20d00fe8dd56e709bf5c5e0b0a076c221ea27ec5def6939978697dce83433b9c49be9eac7228a2619dca3fa138c1d4e49f38acc952668b4be9

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\13atz3bm\13atz3bm.cmdline
      Filesize

      312B

      MD5

      d14a2bb2a90840d5c97a2e313edb30d7

      SHA1

      ab066d7079c444dc408ce0ce1795d887f89f2aae

      SHA256

      456e64378264b3e1c56584f1d9cfd83d6c186f18905e83f28d3472b2e4ebeef6

      SHA512

      3512cd4b62df70cab91ae82bb396d12f7d1989235c439062d2c9d546d0b025fffe4b1e82e35138fa0884696334d30976e0322ca6cfb857df59e7a7691405df60

      Download Submit
    • \??\c:\Users\Admin\AppData\Local\Temp\13atz3bm\CSCFCE88940FCC5434CB46173CA38AF183F.TMP
      Filesize

      1KB

      MD5

      12549247873309c615e6cee6643d32fe

      SHA1

      f81192fee24aec108af472edacc44392244d1b51

      SHA256

      ebc16c79cd4958ea066f339955c52cf93cb66422699d19875a87c4bbc00d6020

      SHA512

      b8ea5ada8e36877d97dc02870c94b062f6a34ba0c6350f0d090b5b97bc9648daa8dcab42b292751b376e4899294cf7915ce54266d035987395dd3efffd4a2b7d

      Download Submit
    • memory/2276-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2352-142-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/2352-141-0x0000000000000000-mapping.dmp
      Download
    • memory/2352-143-0x0000000005B70000-0x0000000006114000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2352-144-0x0000000005810000-0x0000000005876000-memory.dmp
      Filesize

      408KB

      Download
    • memory/2352-145-0x0000000005B30000-0x0000000005B42000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2352-146-0x0000000006920000-0x000000000695C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2352-147-0x0000000006E90000-0x0000000006E9A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4776-139-0x0000000004C00000-0x0000000004C92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4776-140-0x0000000005250000-0x00000000052EC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4776-130-0x00000000001F0000-0x000000000024A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/5036-134-0x0000000000000000-mapping.dmp
      Download