Analysis Overview
SHA256
240f6135d5dad8a8f0003be5e08123d721f5d0ee94dadc46d6575956b54f72fc
Threat Level: Known bad
The file Client-built2.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-26 06:44
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-26 06:44
Reported
2023-01-26 06:46
Platform
win7-20220812-en
Max time kernel
102s
Max time network
114s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built2.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built2.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built2.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built2.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.0.195:1604 | tcp | |
| N/A | 192.168.0.1:1604 | tcp | |
| N/A | 46.212.113.82:1604 | tcp | |
| N/A | 192.168.0.195:1604 | tcp | |
| N/A | 192.168.0.1:1604 | tcp | |
| N/A | 46.212.113.82:1604 | tcp | |
| N/A | 192.168.0.195:1604 | tcp |
Files
memory/752-54-0x0000000000060000-0x00000000000E4000-memory.dmp
memory/752-55-0x000007FEFC161000-0x000007FEFC163000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-26 06:44
Reported
2023-01-26 06:46
Platform
win10v2004-20220812-en
Max time kernel
112s
Max time network
115s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built2.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built2.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built2.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built2.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.0.195:1604 | tcp | |
| N/A | 192.168.0.1:1604 | tcp | |
| N/A | 52.182.143.210:443 | tcp | |
| N/A | 46.212.113.82:1604 | tcp | |
| N/A | 67.24.171.254:80 | tcp | |
| N/A | 67.24.171.254:80 | tcp | |
| N/A | 192.168.0.195:1604 | tcp | |
| N/A | 192.168.0.1:1604 | tcp | |
| N/A | 46.212.113.82:1604 | tcp | |
| N/A | 8.8.8.8:53 | udp | |
| N/A | 185.172.148.96:443 | tcp |
Files
memory/2248-132-0x0000000000330000-0x00000000003B4000-memory.dmp
memory/2248-133-0x00007FF905BB0000-0x00007FF906671000-memory.dmp
memory/2248-134-0x000000001CA90000-0x000000001CAE0000-memory.dmp
memory/2248-135-0x000000001CBA0000-0x000000001CC52000-memory.dmp
memory/2248-136-0x00007FF905BB0000-0x00007FF906671000-memory.dmp