Overview

overview

10

Static

static

10

26aba4e9a0...88.exe

windows7-x64

10

26aba4e9a0...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    71s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-09-2022 00:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    26aba4e9a028a23c065ce9611c164288.exe

  • Size

    2.8MB

  • MD5

    26aba4e9a028a23c065ce9611c164288

  • SHA1

    58bc1e70429c58615863e1704d3a6b575fab767f

  • SHA256

    00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25

  • SHA512

    0db32f58a5d54d04bd3ca60111b3963a50741893a16325a2f3bbeba237fc280fa6f3c63d054d5b9cef0443e8e5ed1de38e4a459c3e7f0c3be4d0a054e08b5095

  • SSDEEP

    49152:ZfjG7SXx1c7V1tgRk5ysKxqEDtIupA7f/za32ehyfT36Dq2w:ZfSSB1c7V1yypKxq1ubw

Score
10/10
quasaroffice04persistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

39.107.242.96:47820

Mutex

fda87a73-83f3-4200-85c4-d2289eb5f51f

Attributes
  • encryption_key

    38F957A7714EBE6FC27E56C6EAB8BADC987F5E2B

  • install_name

    Windows Search.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsSearchPrograms

  • subdirectory

    WindowsSearch

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\26aba4e9a028a23c065ce9611c164288.exe
    "C:\Users\Admin\AppData\Local\Temp\26aba4e9a028a23c065ce9611c164288.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsSearchPrograms" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\26aba4e9a028a23c065ce9611c164288.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:448
    • C:\Users\Admin\AppData\Roaming\WindowsSearch\Windows Search.exe
      "C:\Users\Admin\AppData\Roaming\WindowsSearch\Windows Search.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4580
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsSearchPrograms" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WindowsSearch\Windows Search.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:4948

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\WindowsSearch\Windows Search.exe
    Filesize

    2.8MB

    MD5

    26aba4e9a028a23c065ce9611c164288

    SHA1

    58bc1e70429c58615863e1704d3a6b575fab767f

    SHA256

    00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25

    SHA512

    0db32f58a5d54d04bd3ca60111b3963a50741893a16325a2f3bbeba237fc280fa6f3c63d054d5b9cef0443e8e5ed1de38e4a459c3e7f0c3be4d0a054e08b5095

    Download Submit

  • C:\Users\Admin\AppData\Roaming\WindowsSearch\Windows Search.exe
    Filesize

    2.8MB

    MD5

    26aba4e9a028a23c065ce9611c164288

    SHA1

    58bc1e70429c58615863e1704d3a6b575fab767f

    SHA256

    00e3eebe4bbea52843a8d335bdf5e4b5d6c8de8079f8d86a345cceb2375ccb25

    SHA512

    0db32f58a5d54d04bd3ca60111b3963a50741893a16325a2f3bbeba237fc280fa6f3c63d054d5b9cef0443e8e5ed1de38e4a459c3e7f0c3be4d0a054e08b5095

    Download Submit

  • memory/1104-132-0x0000000000010000-0x00000000002E8000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1104-133-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1104-138-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4580-139-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4580-141-0x000000001BA80000-0x000000001BAD0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4580-142-0x000000001C690000-0x000000001C742000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4580-143-0x00007FFE53930000-0x00007FFE543F1000-memory.dmp

    Filesize

    10.8MB

    Download