Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    16/08/2023, 06:20

General

  • Target

    myproject.exe

  • Size

    1.9MB

  • MD5

    5d8857dfbf92c11e3d816e146a90574b

  • SHA1

    3bb590eba78454a49a81c1cd93b6111119defde1

  • SHA256

    9d3b91e313cc1183cbc94c36a1aa0b50e5a2e2178293240e935d5626c4994db2

  • SHA512

    c13dded3e6bc325e56db61e10cca634ca3e1ca0d04bb37cb3847530cd4d0b154b6dbc7bab12a7254590520f769f2c986ab7dadc65864e877f1932b05d342897a

  • SSDEEP

    49152:yq8O+4JhekmDCjyrZ9e1TsZbdJmkPzewFaxQXotaL:yqT+4JhvmDCurZ8FUlyPxQXota

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

CLppso

C2

5.249.163.32:4782

Mutex

edaac5e2-2388-4258-a93c-28e31ebe3f2a

Attributes
  • encryption_key

    124612CCBEAD0D1753510D04E4F680D28EF88CDD

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\myproject.exe
    "C:\Users\Admin\AppData\Local\Temp\myproject.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1048

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1048-1155-0x0000000074170000-0x000000007485E000-memory.dmp

          Filesize

          6.9MB

        • memory/1048-1159-0x0000000004DD0000-0x0000000004E10000-memory.dmp

          Filesize

          256KB

        • memory/1048-1158-0x0000000074170000-0x000000007485E000-memory.dmp

          Filesize

          6.9MB

        • memory/1048-1157-0x0000000004DD0000-0x0000000004E10000-memory.dmp

          Filesize

          256KB

        • memory/1048-1156-0x0000000000400000-0x0000000000724000-memory.dmp

          Filesize

          3.1MB

        • memory/1928-95-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-99-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-65-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-63-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-67-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-71-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-69-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-79-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-81-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-77-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-75-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-73-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-87-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-89-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-85-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-83-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-93-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-101-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-97-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-55-0x00000000741F0000-0x00000000748DE000-memory.dmp

          Filesize

          6.9MB

        • memory/1928-61-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-103-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-91-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-105-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-109-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-107-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-111-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-113-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-115-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-119-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-117-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-121-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-428-0x00000000741F0000-0x00000000748DE000-memory.dmp

          Filesize

          6.9MB

        • memory/1928-623-0x0000000002300000-0x0000000002340000-memory.dmp

          Filesize

          256KB

        • memory/1928-1136-0x00000000005E0000-0x00000000005E1000-memory.dmp

          Filesize

          4KB

        • memory/1928-1137-0x0000000005720000-0x0000000005874000-memory.dmp

          Filesize

          1.3MB

        • memory/1928-1138-0x0000000000720000-0x000000000076C000-memory.dmp

          Filesize

          304KB

        • memory/1928-1152-0x00000000741F0000-0x00000000748DE000-memory.dmp

          Filesize

          6.9MB

        • memory/1928-58-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-59-0x0000000005140000-0x0000000005314000-memory.dmp

          Filesize

          1.8MB

        • memory/1928-57-0x0000000005140000-0x000000000531A000-memory.dmp

          Filesize

          1.9MB

        • memory/1928-56-0x0000000002300000-0x0000000002340000-memory.dmp

          Filesize

          256KB

        • memory/1928-54-0x0000000000310000-0x00000000004FE000-memory.dmp

          Filesize

          1.9MB