Analysis Overview
SHA256
3c7c1b6d7a9146cf899b396f23aa03e715a8ef82f92f2c2642904599cfffd773
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-04 17:52
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-04 17:52
Reported
2024-01-04 17:55
Platform
win10v2004-20231215-en
Max time kernel
74s
Max time network
88s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| HU | 89.134.3.9:1177 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 66.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| HU | 89.134.3.9:1177 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| HU | 89.134.3.9:1177 | tcp | |
| US | 8.8.8.8:53 | 202.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.134.221.88.in-addr.arpa | udp |
| HU | 89.134.3.9:1177 | tcp |
Files
memory/4340-0-0x0000000000650000-0x0000000000974000-memory.dmp
memory/4340-1-0x00007FF817020000-0x00007FF817AE1000-memory.dmp
memory/4340-2-0x000000001B5A0000-0x000000001B5B0000-memory.dmp
memory/4340-3-0x000000001BC40000-0x000000001BC90000-memory.dmp
memory/4340-4-0x000000001BD50000-0x000000001BE02000-memory.dmp
memory/4340-5-0x00007FF817020000-0x00007FF817AE1000-memory.dmp
memory/4340-6-0x000000001B5A0000-0x000000001B5B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-04 17:52
Reported
2024-01-04 17:57
Platform
win11-20231215-en
Max time kernel
139s
Max time network
161s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| HU | 89.134.3.9:1177 | tcp | |
| HU | 89.134.3.9:1177 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| HU | 89.134.3.9:1177 | tcp | |
| HU | 89.134.3.9:1177 | tcp | |
| HU | 89.134.3.9:1177 | tcp | |
| HU | 89.134.3.9:1177 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/5080-0-0x0000000000710000-0x0000000000A34000-memory.dmp
memory/5080-1-0x00007FFA15EA0000-0x00007FFA16962000-memory.dmp
memory/5080-2-0x000000001B800000-0x000000001B810000-memory.dmp
memory/5080-3-0x000000001BE10000-0x000000001BE60000-memory.dmp
memory/5080-4-0x000000001BF20000-0x000000001BFD2000-memory.dmp
memory/5080-5-0x00007FFA15EA0000-0x00007FFA16962000-memory.dmp
memory/5080-6-0x000000001B800000-0x000000001B810000-memory.dmp