Overview

overview

10

Static

static

10

Free Robux.exe

windows7-x64

10

Free Robux.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    03/08/2023, 16:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Free Robux.exe

  • Size

    3.1MB

  • MD5

    12dfc98e55d187e82fe2207383447e0b

  • SHA1

    efb3fb106202b9a12f1894e703fcee27cb93e28c

  • SHA256

    78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

  • SHA512

    410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

  • SSDEEP

    49152:DvBuf2NUaNmwzPWlvdaKM7ZxTwdlRJ64bR3LoGdQTHHB72eh2NT:Dvcf2NUaNmwzPWlvdaB7ZxTwdlRJ6S

Score
10/10
quasarinfectedspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Infected

C2

192.168.1.1:4782

192.168.1.66:4782

dark-crystal.at.ply.gg:4782
Mutex

ff410ede-beff-4970-8e12-7d251057f1fd

Attributes
  • encryption_key

    1B172706DED462B59F2A5056AB06A8DD1EE8491B

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Realtek Audio

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 7 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops file in System32 directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Free Robux.exe
    "C:\Users\Admin\AppData\Local\Temp\Free Robux.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2168
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2472
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2576
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:1448
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\5OMVch2ODUJk.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1964
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2856
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:2908
          • C:\Windows\system32\SubDir\Client.exe
            "C:\Windows\system32\SubDir\Client.exe"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2300
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:2836
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\I10d35nuGkpL.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:2696
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:1136
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:576
                • C:\Windows\system32\SubDir\Client.exe
                  "C:\Windows\system32\SubDir\Client.exe"
                  6⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1636
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "Realtek Audio" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Creates scheduled task(s)
                    PID:1012

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\5OMVch2ODUJk.bat
        Filesize

        196B

        MD5

        1e282471a7137e92029b117f26cd179e

        SHA1

        4dfbeb22adea1da446718297671fef9e6d711706

        SHA256

        072c9ac0d5b07ddf7ad794f8e74845dbeb03b10a6f05d263b4dc2f5282394d44

        SHA512

        7904c32244fb06d92a873a47c76c046842b4b38582a86fb8adf99dd6af5a14885247b4397e318bfb73818230bdfe0d4e6e4f7783043c4c10871eabc0874e46c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\5OMVch2ODUJk.bat
        Filesize

        196B

        MD5

        1e282471a7137e92029b117f26cd179e

        SHA1

        4dfbeb22adea1da446718297671fef9e6d711706

        SHA256

        072c9ac0d5b07ddf7ad794f8e74845dbeb03b10a6f05d263b4dc2f5282394d44

        SHA512

        7904c32244fb06d92a873a47c76c046842b4b38582a86fb8adf99dd6af5a14885247b4397e318bfb73818230bdfe0d4e6e4f7783043c4c10871eabc0874e46c0

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\I10d35nuGkpL.bat
        Filesize

        196B

        MD5

        b4dafa01d6f40658e7c68cd1f901667f

        SHA1

        77b1e251ceb57c46863e71814005fd18b0c93d92

        SHA256

        810270b3e5e19aac91b8140307c3667f666406effd31b351c6002fe21e71c88c

        SHA512

        729b28484432086cf34a18190ba6f776b04f7197802bcb76d0659e418ac8cd6ed0c0c161dfbf76cbdd473665b0355e662a89c21126ef265cc3c434a0ea7fea04

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\I10d35nuGkpL.bat
        Filesize

        196B

        MD5

        b4dafa01d6f40658e7c68cd1f901667f

        SHA1

        77b1e251ceb57c46863e71814005fd18b0c93d92

        SHA256

        810270b3e5e19aac91b8140307c3667f666406effd31b351c6002fe21e71c88c

        SHA512

        729b28484432086cf34a18190ba6f776b04f7197802bcb76d0659e418ac8cd6ed0c0c161dfbf76cbdd473665b0355e662a89c21126ef265cc3c434a0ea7fea04

        Download Submit

      • C:\Windows\System32\SubDir\Client.exe
        Filesize

        3.1MB

        MD5

        12dfc98e55d187e82fe2207383447e0b

        SHA1

        efb3fb106202b9a12f1894e703fcee27cb93e28c

        SHA256

        78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

        SHA512

        410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

        Download Submit

      • C:\Windows\System32\SubDir\Client.exe
        Filesize

        3.1MB

        MD5

        12dfc98e55d187e82fe2207383447e0b

        SHA1

        efb3fb106202b9a12f1894e703fcee27cb93e28c

        SHA256

        78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

        SHA512

        410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

        Download Submit

      • C:\Windows\System32\SubDir\Client.exe
        Filesize

        3.1MB

        MD5

        12dfc98e55d187e82fe2207383447e0b

        SHA1

        efb3fb106202b9a12f1894e703fcee27cb93e28c

        SHA256

        78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

        SHA512

        410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

        Download Submit

      • C:\Windows\system32\SubDir\Client.exe
        Filesize

        3.1MB

        MD5

        12dfc98e55d187e82fe2207383447e0b

        SHA1

        efb3fb106202b9a12f1894e703fcee27cb93e28c

        SHA256

        78980e753b2dc821107c2e8f10df4ff86ca9fde82f7c97b1949c2315ba955f9f

        SHA512

        410097f00d1bf81b5ab27cc02993b78d9f8ea44d1ff2bee44d322211e282f398fe3d623d295567b67292433720515f29ec6ce1438874e49d09ac266afdfad8b9

        Download Submit

      • memory/1636-96-0x000000001B350000-0x000000001B3D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1636-95-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1636-94-0x00000000003B0000-0x00000000006D4000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1636-97-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1636-98-0x000000001B350000-0x000000001B3D0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2168-63-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2168-56-0x00000000008E0000-0x0000000000960000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2168-54-0x0000000000330000-0x0000000000654000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2168-55-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2300-92-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2300-82-0x000000001B180000-0x000000001B200000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2300-81-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2300-80-0x000000001B180000-0x000000001B200000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2300-79-0x000007FEF48E0000-0x000007FEF52CC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2576-77-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2576-67-0x000000001B300000-0x000000001B380000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2576-66-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2576-65-0x000000001B300000-0x000000001B380000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2576-64-0x00000000008E0000-0x0000000000C04000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2576-62-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

        Filesize

        9.9MB

        Download