Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2023 09:51

General

  • Target

    CF3E191984D67CC23E9801C1F34AEF0C.exe

  • Size

    3.7MB

  • MD5

    cf3e191984d67cc23e9801c1f34aef0c

  • SHA1

    e077f254fab7ac5c1150925866fac997ee008237

  • SHA256

    e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53

  • SHA512

    0f60baf1d8a8177dfe45d603ba82181e528f1b62e4b54881fc5c7ff77e4cf2c1feef9d6bd5e697b216aeb9063e013298f26ec572226de5cfd965ce3a61239904

  • SSDEEP

    98304:cv722SsaNYfdPBldt6+dBcjHgefqLXKpsvD/D+donCYUV:ac7jFIj7/A1Yc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

106.160.59.123:5468

Mutex

ecbc8241-f6e8-43af-bfa9-9d8fb968ba89

Attributes
  • encryption_key

    B6D85D96313E99A28BC1E8EFB817AC6FE38CBB98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 2 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe
    "C:\Users\Admin\AppData\Local\Temp\CF3E191984D67CC23E9801C1F34AEF0C.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4488
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3864
      • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        C:\Users\Admin\AppData\Local\Temp\\Client-built.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3092
      • C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
        C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe

    Filesize

    3.1MB

    MD5

    4581d8db596f027233f51dab3764d4b4

    SHA1

    b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b

    SHA256

    5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05

    SHA512

    6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe

    Filesize

    3.1MB

    MD5

    4581d8db596f027233f51dab3764d4b4

    SHA1

    b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b

    SHA256

    5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05

    SHA512

    6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

  • C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

    Filesize

    1.1MB

    MD5

    97c8fe752e354b2945e4c593a87e4a8b

    SHA1

    03ab4c91535ecf14b13e0258f3a7be459a7957f9

    SHA256

    820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

    SHA512

    af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

  • C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

    Filesize

    56KB

    MD5

    d63851f89c7ad4615565ca300e8b8e27

    SHA1

    1c9a6c1ce94581f85be0e99e2d370384b959578f

    SHA256

    0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

    SHA512

    623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

  • C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

    Filesize

    56KB

    MD5

    d63851f89c7ad4615565ca300e8b8e27

    SHA1

    1c9a6c1ce94581f85be0e99e2d370384b959578f

    SHA256

    0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

    SHA512

    623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

  • C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

    Filesize

    60KB

    MD5

    90f02d102a066c61308c4007f7381349

    SHA1

    e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09

    SHA256

    c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4

    SHA512

    e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

  • C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

    Filesize

    60KB

    MD5

    90f02d102a066c61308c4007f7381349

    SHA1

    e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09

    SHA256

    c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4

    SHA512

    e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

  • memory/1908-39-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/1908-31-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/1908-18-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/4248-26-0x000000001BA50000-0x000000001BB02000-memory.dmp

    Filesize

    712KB

  • memory/4248-21-0x0000000000650000-0x0000000000974000-memory.dmp

    Filesize

    3.1MB

  • memory/4248-23-0x00007FFF78C10000-0x00007FFF796D1000-memory.dmp

    Filesize

    10.8MB

  • memory/4248-24-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

    Filesize

    64KB

  • memory/4248-25-0x000000001B940000-0x000000001B990000-memory.dmp

    Filesize

    320KB

  • memory/4248-29-0x000000001B910000-0x000000001B922000-memory.dmp

    Filesize

    72KB

  • memory/4248-30-0x000000001B9D0000-0x000000001BA0C000-memory.dmp

    Filesize

    240KB

  • memory/4248-33-0x00007FFF78C10000-0x00007FFF796D1000-memory.dmp

    Filesize

    10.8MB

  • memory/4248-34-0x000000001B6E0000-0x000000001B6F0000-memory.dmp

    Filesize

    64KB

  • memory/4488-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4488-14-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/4488-9-0x0000000002320000-0x0000000002334000-memory.dmp

    Filesize

    80KB