Analysis Overview
SHA256
2161ac1f32f0aeb9b968e28924c52a5c77b06197275266fb7fcc7242523d614e
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-31 23:55
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-31 23:54
Reported
2023-12-31 23:58
Platform
win10-20231215-en
Max time kernel
126s
Max time network
168s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4624 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4624 wrote to memory of 1296 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4624 wrote to memory of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 4624 wrote to memory of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 868 wrote to memory of 1188 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 868 wrote to memory of 1188 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/4624-0-0x0000000000D80000-0x00000000010A4000-memory.dmp
memory/4624-1-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp
memory/4624-2-0x000000001BCF0000-0x000000001BD00000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | a88a8a76270599f61ed3c1f25a0b79b4 |
| SHA1 | a2211f01f55970ae068fa02fc2b284d2f2e80b81 |
| SHA256 | 579aa3ca85e6148ba288e6fd41cf3813963c7db4086dd7da512ee0e10374003e |
| SHA512 | 49259b08217fb35fc8d6c66ebf5bbbda67a20ba9d3d4f4b313fa470d287422325215f9d99da4eb2ab4fa00a814baecd0d7110d7b40f64cca3391bedb572b8573 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b7a4c11b2565e09e8239ec0abc08b4b0 |
| SHA1 | 78464c39bbc485f84bca1dc9b6cafa7b654d348d |
| SHA256 | 88f5669612d1f84e763e10bdf8835cafcd9f7490973aa69b4aaa283a8548b84d |
| SHA512 | b6fe702b2a49f937e650e81adc19d70134919f5094d718c12da6d7971c487be2269eb83be08bccbe366c0f8762ca116eb0ab3f994a7a90102f1956e99a2aea6b |
memory/4624-8-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp
memory/868-9-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp
memory/868-10-0x000000001B500000-0x000000001B510000-memory.dmp
memory/868-11-0x000000001BEB0000-0x000000001BF00000-memory.dmp
memory/868-12-0x000000001BFC0000-0x000000001C072000-memory.dmp
memory/868-13-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp
memory/868-14-0x000000001B500000-0x000000001B510000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-31 23:54
Reported
2023-12-31 23:58
Platform
win10v2004-20231215-en
Max time kernel
67s
Max time network
73s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 844 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 844 wrote to memory of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 844 wrote to memory of 556 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 844 wrote to memory of 556 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 556 wrote to memory of 4476 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 556 wrote to memory of 4476 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.180:80 | tcp |
Files
memory/844-0-0x0000000000C10000-0x0000000000F34000-memory.dmp
memory/844-2-0x00000000030B0000-0x00000000030C0000-memory.dmp
memory/844-1-0x00007FF828990000-0x00007FF829451000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 8f5650f2b5d261f5b85eedf43666a46d |
| SHA1 | ed3db305f64f16af33b2dc18aadfc3d0e23d7258 |
| SHA256 | 406147ae15c87184947c806270e5b7bd6df11fd4a52d81f1030317400975c013 |
| SHA512 | eecfe18de584ceb99af8b821beb1ac34a2dcf0f3b586881d492f6aab8428ea29cc85bc590d21f1dfb372579b2ef22f6ac49a1685dad40b05eee266bffbd9fdbd |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | caf9771bfcd57dc716652fb1836bdced |
| SHA1 | 870468f5f96a602e7fcc46d9da97cd0e320292e0 |
| SHA256 | d6536e153219bdc7042232d051f07a70f696a3dde5ac7ea90287ac1fd8bf5751 |
| SHA512 | bf01542f39b8cf558901d8b19d0fd8560c99846f69e73fae94fd3b403f205660611f59c1b5cf54015a571aae7711f0b15e0d5cd43ae61e2253138d73b135765c |
memory/844-8-0x00007FF828990000-0x00007FF829451000-memory.dmp
memory/556-9-0x00007FF828990000-0x00007FF829451000-memory.dmp
memory/556-10-0x0000000002D60000-0x0000000002D70000-memory.dmp
memory/556-11-0x000000001C4A0000-0x000000001C4F0000-memory.dmp
memory/556-12-0x000000001C5B0000-0x000000001C662000-memory.dmp
memory/556-13-0x00007FF828990000-0x00007FF829451000-memory.dmp
memory/556-14-0x0000000002D60000-0x0000000002D70000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-12-31 23:54
Reported
2023-12-31 23:58
Platform
win11-20231215-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5116 wrote to memory of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 5116 wrote to memory of 3736 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 5116 wrote to memory of 4128 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 5116 wrote to memory of 4128 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 4128 wrote to memory of 1824 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4128 wrote to memory of 1824 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.17:56251 | tcp | |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.17:56251 | tcp | |
| US | 147.185.221.17:56251 | tcp | |
| US | 147.185.221.17:56251 | tcp | |
| US | 147.185.221.17:56251 | tcp | |
| US | 147.185.221.17:56251 | tcp | |
| US | 147.185.221.17:56251 | tcp | |
| N/A | 52.168.117.168:443 | tcp |
Files
memory/5116-0-0x0000000000D80000-0x00000000010A4000-memory.dmp
memory/5116-1-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp
memory/5116-2-0x00000000018F0000-0x0000000001900000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 2c5219a73957083cdb849886c28c9735 |
| SHA1 | 01bd1932cb59b8ba4c68c6c5c86724e944803d7a |
| SHA256 | b95d63753f15677b9b71f30e325c1182d79abaeda78caea1cf56cb97767c8650 |
| SHA512 | b3689f3870e8b68cdc17b4c82d4046c325f7d2944e42688f5218e1c6bd2bbdb98f6489fd3704d634fe8d821133b3c8e0c7c8c799f2a036c23ee2eb0f94a78283 |
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | 5bd094fa59803313446c0a1a59f493c3 |
| SHA1 | ad854d5cb57d7fdfce273c34047135b98357f8ce |
| SHA256 | 23126c237ef94abf54c0c194955de04ee70a67a730b31628867f35a9f0cce9d3 |
| SHA512 | dac096433a4631fa4246d2233845b4e6d23cde8f3251300726f2cd28c20747d59e4437b6fb37d8ff132691dd0e1d7304108721e687d24adf4eccf419e9012656 |
memory/5116-8-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp
memory/4128-9-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp
memory/4128-10-0x000000001BDE0000-0x000000001BDF0000-memory.dmp
memory/4128-11-0x000000001CDA0000-0x000000001CDF0000-memory.dmp
memory/4128-12-0x000000001CEB0000-0x000000001CF62000-memory.dmp
memory/4128-13-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp
memory/4128-14-0x000000001BDE0000-0x000000001BDF0000-memory.dmp