Analysis

  • max time kernel
    133s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/01/2023, 17:53

General

  • Target

    testating.exe

  • Size

    502KB

  • MD5

    1f8f68e7623630103601f6235e9c94a6

  • SHA1

    3c32c376b1be12d1f9df117eb8435804548c02c8

  • SHA256

    76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591

  • SHA512

    c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631

  • SSDEEP

    6144:4TEgdc0YHXAGbgiIN2RSBWDR3Uz8sXKYF8MtcEnOb8F96rQ3u49JTxcTR32:4TEgdfYfbgnttr3pcreu4nTxcd2

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

192.168.1.237:1290

Mutex

0cdb9102-24f8-4ed6-ba0c-d7625d69d684

Attributes
  • encryption_key

    63E6BFBD5330A53154091A63A8847C4FAA484D23

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    2899

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\testating.exe
    "C:\Users\Admin\AppData\Local\Temp\testating.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\testating.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:664
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3880

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

    Filesize

    502KB

    MD5

    1f8f68e7623630103601f6235e9c94a6

    SHA1

    3c32c376b1be12d1f9df117eb8435804548c02c8

    SHA256

    76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591

    SHA512

    c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

    Filesize

    502KB

    MD5

    1f8f68e7623630103601f6235e9c94a6

    SHA1

    3c32c376b1be12d1f9df117eb8435804548c02c8

    SHA256

    76257feb8d753a419e11bd0672eac3d236ac990d8ba8baf7ec44c5f1f3eac591

    SHA512

    c93ba03f50602919a8355334c1450fb9f57aeb432027e53c458195d7dfbdc3940d042e136eb3ace24cd76c1ffbd359be05582893fc0e53f5fe764c8c32fe6631

  • memory/3788-139-0x00007FFA23010000-0x00007FFA23AD1000-memory.dmp

    Filesize

    10.8MB

  • memory/3788-141-0x000000001B2A0000-0x000000001B2F0000-memory.dmp

    Filesize

    320KB

  • memory/3788-142-0x000000001C8B0000-0x000000001C962000-memory.dmp

    Filesize

    712KB

  • memory/3788-143-0x00007FFA23010000-0x00007FFA23AD1000-memory.dmp

    Filesize

    10.8MB

  • memory/4488-132-0x0000000000500000-0x0000000000584000-memory.dmp

    Filesize

    528KB

  • memory/4488-133-0x00007FFA23010000-0x00007FFA23AD1000-memory.dmp

    Filesize

    10.8MB

  • memory/4488-138-0x00007FFA23010000-0x00007FFA23AD1000-memory.dmp

    Filesize

    10.8MB