Analysis

  • max time kernel
    31s
  • max time network
    115s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2023 10:46

General

  • Target

    Rat.exe

  • Size

    3.1MB

  • MD5

    568d2c9150438d4acc8e4b53b6ce70a2

  • SHA1

    4906af8218e049b73dcf8cf036b193c3da013b70

  • SHA256

    9a92c27447113d83d81208169d6c000808a584b9a3223f90a2db04e0bab41272

  • SHA512

    127bf3bc191ce3c4fb0515ceaa18975ba1d24f1b5dd219d6fa0a905f31b0538fb22d8c255c2c12f7e0f56810ba4cf0f54f3fc2db867143a4c286193da7054b8b

  • SSDEEP

    49152:uvbI22SsaNYfdPBldt698dBcjHCFvXE/sekCqILohd96THHB72eh2NT:uvk22SsaNYfdPBldt6+dBcjHCFvrm

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

95.148.114.81:3074

Mutex

438705a4-4f8c-4da4-ae1a-091d6679f4fc

Attributes
  • encryption_key

    AD7FCF7C9C76D3C7D6730075A1E1EB444D205087

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 33 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Rat.exe
    "C:\Users\Admin\AppData\Local\Temp\Rat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2032
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2772
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feefbf9758,0x7feefbf9768,0x7feefbf9778
      2⤵
        PID:2400
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:2
        2⤵
          PID:2684
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1412 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:8
          2⤵
            PID:2608
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:8
            2⤵
              PID:2640
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2244 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:1
              2⤵
                PID:324
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2236 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:1
                2⤵
                  PID:672
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1252 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:2
                  2⤵
                    PID:2504
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3188 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:1
                    2⤵
                      PID:2404
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3448 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:8
                      2⤵
                        PID:2056
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3564 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:8
                        2⤵
                          PID:1744
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3444 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:8
                          2⤵
                            PID:1548
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3900 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:1
                            2⤵
                              PID:1716
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3828 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:1
                              2⤵
                                PID:2224
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1624 --field-trial-handle=1176,i,10361988795033761174,2098023443468988432,131072 /prefetch:8
                                2⤵
                                  PID:1312
                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                1⤵
                                  PID:1480

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  65KB

                                  MD5

                                  ac05d27423a85adc1622c714f2cb6184

                                  SHA1

                                  b0fe2b1abddb97837ea0195be70ab2ff14d43198

                                  SHA256

                                  c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

                                  SHA512

                                  6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

                                  Filesize

                                  304B

                                  MD5

                                  58a0a61c7a6aab9056a32f784acd9dd7

                                  SHA1

                                  26b778f43059839d86ed1a1d7d694b68818431eb

                                  SHA256

                                  2a90a87bc7146420852a0ef4d018fd1f2acea7ded4ac3690d2df113f4d93d57d

                                  SHA512

                                  a898686d3e3dcced6515e5589e4465e3d8b449d523b45cfc69dd7b3a9413e6d637a57917f2a60bc849d6b15ffa4e29f3f4c837ae99b280a1b1e595441c338d83

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                  Filesize

                                  840B

                                  MD5

                                  8e5cec7b00da065746282679690b78e9

                                  SHA1

                                  73b99c9f0b88fdd0e9e430f7d08f50d9588110f0

                                  SHA256

                                  838b9693f5bea64ce631dc12dcdb90fd73c7e98815e70f3a71bef252b509c31a

                                  SHA512

                                  9a74183e18ab0af0849e0942110292b4f44e628a1586d40d85018381ac2f9bbb467cd31da6355e9b59c7bf35e4e088f2a4134f80f0684f0295de0ce4cf4de754

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  791805b4e242448ceb7ffe63e3ff32cc

                                  SHA1

                                  f331dce1cb01bf12689e45d472d400484f0efa6d

                                  SHA256

                                  7a1434ccc1695e8bb09ceee2b183be311669767adbeb2603d5debef2aa1ce040

                                  SHA512

                                  badd45095760cfa3e07a37d373908d33a5e25c7fa8de67a6dd2bf6e09db94608e9ef61975dd154aa7df29a246134ec4360f62f1068267ae209e18d5579f59d12

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  1KB

                                  MD5

                                  e1f58ed13a06fcb12047c333f270a2ec

                                  SHA1

                                  54a7c931ae2a1101906882e2d0950094ddf5691a

                                  SHA256

                                  ceaff8eb1248a8862d590dfca2ec6ee6b4201fd159caa427ab3e259fc4355fd4

                                  SHA512

                                  97ffb30caf3c5d757b7d212ade2d223b1fc5705edd634df7439ae7c4782299cc309125c29d9e5b2691ede98e102b7c1c4d1519c9d65af7905d1732fe63dd30ca

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                  Filesize

                                  527B

                                  MD5

                                  fff6ccd9c107c97ea98ca786109ed60e

                                  SHA1

                                  bb987e8d46bba606f2e7a6ae1d8cc9a9d08c1b95

                                  SHA256

                                  877359349b34f71f8ebc25e2388df1ba6bbf04493898312c7febb339cf7c2dd8

                                  SHA512

                                  65912ae709e90cf7387a24f524fdf3e493c4604ed6d6c37c474750d34460eb9a34a4d658ae58a9719cdf6bfbbdb548119039f84e8edfecc7ea401dd07bf46888

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  f86c0f8d06342f24f2f15c24a9ebae8d

                                  SHA1

                                  19919ce60e2fe80ee32fa3d3e8243cf4d9edcd64

                                  SHA256

                                  e28901596b23cc6b5dc2d4e7d15e0121a948e7d0152323744636b3998d3bccf8

                                  SHA512

                                  d535259cc291acd45ff3ecc549845c7b9a38fa76efb35ca684d2a0d1e175277275794d85fc8d1ef1dd98302e4a57094267f61372a18fe14ef5ab4f6b287b4068

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  6013815eb4b839eabbd4b5c29d8ddf57

                                  SHA1

                                  36e52d52d78b9a960343bed687c0b0e889abf71e

                                  SHA256

                                  e1752611ee327c536e58444affa13a9f2b818d05c548d893994161a6cd368270

                                  SHA512

                                  96b2d54985c094236fcf988a0e37eee60ac460bcac7b1f9ad8d4ec05664a116a45dbd0124a04a039458256c1c8749bdd8b92e67185ac50557fb0b4b35ca69315

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                  Filesize

                                  4KB

                                  MD5

                                  976f17e84fd99cbd0d0a952ca42746dd

                                  SHA1

                                  94f5ed3b045cf2894641f609ef70012c156fab8d

                                  SHA256

                                  f54857915bd76d2c20ff7aca92e228045643917eb450db52a332bb232c5bb646

                                  SHA512

                                  bd79ca8c57d768e2b49fc2a627998c3580e8627478b8a7c85b2508bfb2370493fe360a60f38df8dca193ce86f4b7b13475e100ceccbb29f147695a519e660459

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

                                  Filesize

                                  16B

                                  MD5

                                  18e723571b00fb1694a3bad6c78e4054

                                  SHA1

                                  afcc0ef32d46fe59e0483f9a3c891d3034d12f32

                                  SHA256

                                  8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

                                  SHA512

                                  43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

                                • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

                                  Filesize

                                  264KB

                                  MD5

                                  f50f89a0a91564d0b8a211f8921aa7de

                                  SHA1

                                  112403a17dd69d5b9018b8cede023cb3b54eab7d

                                  SHA256

                                  b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                  SHA512

                                  bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                • C:\Users\Admin\AppData\Local\Temp\CabA3D0.tmp

                                  Filesize

                                  61KB

                                  MD5

                                  f3441b8572aae8801c04f3060b550443

                                  SHA1

                                  4ef0a35436125d6821831ef36c28ffaf196cda15

                                  SHA256

                                  6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

                                  SHA512

                                  5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

                                • C:\Users\Admin\AppData\Local\Temp\TarA53E.tmp

                                  Filesize

                                  171KB

                                  MD5

                                  9c0c641c06238516f27941aa1166d427

                                  SHA1

                                  64cd549fb8cf014fcd9312aa7a5b023847b6c977

                                  SHA256

                                  4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

                                  SHA512

                                  936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

                                • memory/2032-173-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

                                  Filesize

                                  9.9MB

                                • memory/2032-332-0x000000001B250000-0x000000001B2D0000-memory.dmp

                                  Filesize

                                  512KB

                                • memory/2032-0-0x0000000000DD0000-0x00000000010F4000-memory.dmp

                                  Filesize

                                  3.1MB

                                • memory/2032-2-0x000000001B250000-0x000000001B2D0000-memory.dmp

                                  Filesize

                                  512KB

                                • memory/2032-1-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

                                  Filesize

                                  9.9MB