Analysis
-
max time kernel
43s -
max time network
39s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
23/07/2023, 09:29
General
-
Target
Client-built.exe
-
Size
3.2MB
-
MD5
0c1ec7f96d7075a604abe1f8b2725464
-
SHA1
0cba36b0af29f8bd62cbd5734f59db80f1ad5b71
-
SHA256
c1f6dc96c484bc241b7693aed4b5350ac4bb04c573bc61479849141b8707254c
-
SHA512
84b84129ad26b1d0e3e3fc452797339b77ae7b2a6787fd7a5179b1d4849887c3f35ec0376ba127facf96c7ae828a2481f0eb813366327295050ec9a77d1f18fe
-
SSDEEP
49152:mvIt62XlaSFNWPjljiFa2RoUYIYNxNESE+k/iQLoGdiOjPTHHB72eh2NT:mvE62XlaSFNWPjljiFXRoUYI6xtub
Malware Config
Extracted
quasar
1.4.1
Opera
6.tcp.eu.ngrok.io:19271
feb69ae7-695d-40ed-89a2-04ef8bd51b77
-
encryption_key
BE406BCA39FA7E9CE29EAD78E1350B24413E24BF
-
install_name
launcher.exe
-
log_directory
Opera Logs
-
reconnect_delay
3000
-
startup_key
Opera Launcher
-
subdirectory
Opera Software
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 4 IoCs
-
Executes dropped EXE 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 40 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe"C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Opera Launcher" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Opera Software\launcher.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD50c1ec7f96d7075a604abe1f8b2725464
SHA10cba36b0af29f8bd62cbd5734f59db80f1ad5b71
SHA256c1f6dc96c484bc241b7693aed4b5350ac4bb04c573bc61479849141b8707254c
SHA51284b84129ad26b1d0e3e3fc452797339b77ae7b2a6787fd7a5179b1d4849887c3f35ec0376ba127facf96c7ae828a2481f0eb813366327295050ec9a77d1f18fe
-
Filesize
3.2MB
MD50c1ec7f96d7075a604abe1f8b2725464
SHA10cba36b0af29f8bd62cbd5734f59db80f1ad5b71
SHA256c1f6dc96c484bc241b7693aed4b5350ac4bb04c573bc61479849141b8707254c
SHA51284b84129ad26b1d0e3e3fc452797339b77ae7b2a6787fd7a5179b1d4849887c3f35ec0376ba127facf96c7ae828a2481f0eb813366327295050ec9a77d1f18fe
-
Filesize
3.2MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
4KB
-
Filesize
3.2MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB