Analysis

  • max time kernel
    142s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 19:36

General

  • Target

    e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe

  • Size

    3.7MB

  • MD5

    cf3e191984d67cc23e9801c1f34aef0c

  • SHA1

    e077f254fab7ac5c1150925866fac997ee008237

  • SHA256

    e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53

  • SHA512

    0f60baf1d8a8177dfe45d603ba82181e528f1b62e4b54881fc5c7ff77e4cf2c1feef9d6bd5e697b216aeb9063e013298f26ec572226de5cfd965ce3a61239904

  • SSDEEP

    98304:cv722SsaNYfdPBldt6+dBcjHgefqLXKpsvD/D+donCYUV:ac7jFIj7/A1Yc

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

106.160.59.123:5468

Mutex

ecbc8241-f6e8-43af-bfa9-9d8fb968ba89

Attributes
  • encryption_key

    B6D85D96313E99A28BC1E8EFB817AC6FE38CBB98

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 3 IoCs
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe
    "C:\Users\Admin\AppData\Local\Temp\e90e101038e5059907d0f3540ab8e7a4ff2f380f00c3a35d23e13e80f8160a53exe.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1580
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\\Client-built.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2384
      • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
        C:\Users\Admin\AppData\Local\Temp\\Client-built.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2612
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c start C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
        C:\Users\Admin\AppData\Local\Temp\\ÓÎÏ·ÄÚ´æÊÍ·Å.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe

    Filesize

    3.1MB

    MD5

    4581d8db596f027233f51dab3764d4b4

    SHA1

    b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b

    SHA256

    5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05

    SHA512

    6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe

    Filesize

    3.1MB

    MD5

    4581d8db596f027233f51dab3764d4b4

    SHA1

    b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b

    SHA256

    5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05

    SHA512

    6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

  • C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

    Filesize

    60KB

    MD5

    90f02d102a066c61308c4007f7381349

    SHA1

    e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09

    SHA256

    c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4

    SHA512

    e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

  • C:\Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

    Filesize

    60KB

    MD5

    90f02d102a066c61308c4007f7381349

    SHA1

    e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09

    SHA256

    c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4

    SHA512

    e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

  • \Users\Admin\AppData\Local\Temp\Client-built.exe

    Filesize

    3.1MB

    MD5

    4581d8db596f027233f51dab3764d4b4

    SHA1

    b9de18c073f3e40e7fb56a7c2b99c1fff8e6750b

    SHA256

    5b156481362beac5abeb59112d90be64124dd70e3dffb6cc106323abf1b90b05

    SHA512

    6e358404f57c391cee1e89f6026c2ae942ea411b09862c07e449fc4a2831454092e26bf1f471156584be3fe253775a805e6d6c1211d239e55ef46237d9889a2b

  • \Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

    Filesize

    1.1MB

    MD5

    97c8fe752e354b2945e4c593a87e4a8b

    SHA1

    03ab4c91535ecf14b13e0258f3a7be459a7957f9

    SHA256

    820d8dd49baed0da44d42555ad361d78e068115661dce72ae6578dcdab6baead

    SHA512

    af4492c08d6659d21ebfefe752b0d71210d2542c1788f1d2d9f86a85f01c3dd05eebf61c925e18b5e870aec7e9794e4a7050a04f4c58d90dca93324485690bcc

  • \Users\Admin\AppData\Local\Temp\E_4\shell.fne

    Filesize

    56KB

    MD5

    d63851f89c7ad4615565ca300e8b8e27

    SHA1

    1c9a6c1ce94581f85be0e99e2d370384b959578f

    SHA256

    0a6ae72df15cbca21c6af32bc2c13ca876e191008f1078228b3b98add9fc9d8d

    SHA512

    623e9e9beb5d2a9f3a6a75e5fac9dda5b437246fd3b10db4bba680f61bc68aae6714f11a12938b7d22b1c7691f45a75c4406ba06fa901da8ce05e784038970d2

  • \Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

    Filesize

    60KB

    MD5

    90f02d102a066c61308c4007f7381349

    SHA1

    e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09

    SHA256

    c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4

    SHA512

    e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

  • \Users\Admin\AppData\Local\Temp\ÓÎÏ·ÄÚ´æÊÍ·Å.exe

    Filesize

    60KB

    MD5

    90f02d102a066c61308c4007f7381349

    SHA1

    e7eff6d61d3516ad63d5d95cbd87d568b5a3fc09

    SHA256

    c406aba9676bd1624db08aa60acd6e65c39259a97bbb31b479ac0fec519d4df4

    SHA512

    e845dc46b1298eba2efb96d930a8c09b8f4745c50c7c3c31c0ecfd633b5c44487d30b361d56ad964ddb539a489faea797a9d7109db478e9004b99acc5e1415e5

  • memory/1580-6-0x0000000000300000-0x0000000000314000-memory.dmp

    Filesize

    80KB

  • memory/1580-0-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/1580-10-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2612-21-0x0000000000180000-0x00000000004A4000-memory.dmp

    Filesize

    3.1MB

  • memory/2612-22-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

    Filesize

    9.9MB

  • memory/2612-23-0x0000000000940000-0x00000000009C0000-memory.dmp

    Filesize

    512KB

  • memory/2612-27-0x000007FEF5840000-0x000007FEF622C000-memory.dmp

    Filesize

    9.9MB

  • memory/2612-28-0x0000000000940000-0x00000000009C0000-memory.dmp

    Filesize

    512KB

  • memory/2624-24-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2624-33-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2624-40-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2968-19-0x0000000000160000-0x0000000000197000-memory.dmp

    Filesize

    220KB

  • memory/2968-15-0x0000000000160000-0x0000000000197000-memory.dmp

    Filesize

    220KB

  • memory/2968-25-0x0000000000160000-0x0000000000197000-memory.dmp

    Filesize

    220KB