Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2023, 02:18

General

  • Target

    nvz0g1.ps1

  • Size

    5.1MB

  • MD5

    7aad8bcb11ff3deab23cc311222fe265

  • SHA1

    3d9a69c71e00aff947af949441220f18bad9e0d8

  • SHA256

    c90652e3d658848ea93fc3b70bec8122366ea3a9cc79a11cd47d7b5c418b9b2a

  • SHA512

    f6bb4fd8ffab5b08ed8c0991e8c57d91702cbfc6034e7157c720c5b94b55f88788a4273c9ec46e63ac0c286f24ff4ad17e925074f6766a5fab53eb4959728fe9

  • SSDEEP

    49152:YY1wOeTfeinwRg0Yd0YtWdR2++BqkPiblNmBZOqsHtL3rdyW6JKHINYMpnkq/3+g:i

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

ghcc.duckdns.org:4782

Mutex

a9c03eb7-f3c1-4b9e-a4f7-1962d17a793b

Attributes
  • encryption_key

    B0326395AC2D48856CAE22978A087DF5DCF5816D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\nvz0g1.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1332

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1332-134-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

  • memory/1332-137-0x00000000058D0000-0x0000000005E74000-memory.dmp

    Filesize

    5.6MB

  • memory/1332-138-0x0000000005320000-0x00000000053B2000-memory.dmp

    Filesize

    584KB

  • memory/1332-139-0x0000000005250000-0x000000000525A000-memory.dmp

    Filesize

    40KB

  • memory/1332-140-0x00000000064A0000-0x0000000006AB8000-memory.dmp

    Filesize

    6.1MB

  • memory/1332-141-0x00000000057A0000-0x00000000057F0000-memory.dmp

    Filesize

    320KB

  • memory/1332-142-0x0000000005FC0000-0x0000000006072000-memory.dmp

    Filesize

    712KB

  • memory/1652-132-0x000002565F710000-0x000002565F732000-memory.dmp

    Filesize

    136KB

  • memory/1652-133-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

    Filesize

    10.8MB

  • memory/1652-136-0x00007FFDB69A0000-0x00007FFDB7461000-memory.dmp

    Filesize

    10.8MB