Overview

overview

10

Static

static

10

Contact Card.exe

windows7-x64

10

Contact Card.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    05/01/2024, 21:56

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Contact Card.exe

  • Size

    376KB

  • MD5

    409b88b2b275353f2ca05983cef1abf5

  • SHA1

    2fc14e18c0b090d55360e60468489aa65e2375f2

  • SHA256

    d56dd549736bda8fd1ebc8ae17c0b642c1df0fb5ce5e824b723d9b3f29da38c3

  • SHA512

    f2729c972505fb76df726b7fc44ce2f96831af4c37acd46dac640be32f9a43f4e32fbde1dbbf230b721bdabf421760e26324732f701491a22ab6962f2b63fbca

  • SSDEEP

    6144:GI6bPXhLApfpebKxMZWnmaxv6prs9NNbgSWVGg9R+1FZ+UsukEXVX:7mhApDmWhIVGg9R+1FPsukEB

Score
10/10
quasarjohnpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

John

C2

202.2.12.13:4782

Mutex

QSR_MUTEX_CxO1HuVkIgYkhY4NA9

Attributes
  • encryption_key

    s52dOq4uyyE0qGeD9OKm

  • install_name

    updater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java updater

  • subdirectory

    Java

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Contact Card.exe
    "C:\Users\Admin\AppData\Local\Temp\Contact Card.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1708
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Contact Card.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2896
    • C:\Users\Admin\AppData\Roaming\Java\updater.exe
      "C:\Users\Admin\AppData\Roaming\Java\updater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2304
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Java\updater.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2660

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Java\updater.exe
          Filesize

          66KB

          MD5

          05df0b211d6c48b40a5c09cbb7524a96

          SHA1

          2f8594c5bfd7b110a308189e06e42b7cd18b3503

          SHA256

          5b0b5cd0b63d6b5255351b787a0fe0b75f5860301522d3ebd790fd3b14837cfd

          SHA512

          b27032c001d467ba57836de1194e6360bc88b0a0bf9728aa420941c08e10d43af1d235a7f26860f550d2f185e546759ff31162c3f242995e2bfb3bc5ed838586

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Java\updater.exe
          Filesize

          13KB

          MD5

          c78b49607d205c66abcedcdfc510cce0

          SHA1

          23bd14df1f561754bbef5c5900f3205c33f4663b

          SHA256

          99fd327308d50a0bbefe49ecd64fff1d55aaabd7934eeac29a82215d7b6d5a25

          SHA512

          05cc574af46f032d08bc9ae84508cd4ad1c4ce3342525c9e7368d3728d95d723ddf6deb7b6947d0379c49a5ebf48740b78bade9f9b3e4116fb6f706c2c932ce2

          Download Submit

        • \Users\Admin\AppData\Roaming\Java\updater.exe
          Filesize

          98KB

          MD5

          d49bb5ebd671dd1dbbd399e045901078

          SHA1

          793267b11f77b856131cc8e9f28a004d91a02c78

          SHA256

          e1734acf0461bf6967a7c5e8956728483629bd2c48ac74f352566bb6dc934a4b

          SHA512

          ce57151cc16943d590c50dbe009ed98af50f11e7b589f0c063c0f68cb5c05b78ece46f8a80f226ff06c95668b477044f3e56b652210d83b705a1937ad6bebdca

          Download Submit

        • memory/1708-0-0x0000000074370000-0x0000000074A5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1708-7-0x0000000074370000-0x0000000074A5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1708-2-0x00000000049C0000-0x0000000004A00000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1708-11-0x00000000049C0000-0x0000000004A00000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1708-1-0x00000000001C0000-0x0000000000224000-memory.dmp

          Filesize

          400KB

          Download

        • memory/1708-14-0x0000000074370000-0x0000000074A5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2304-12-0x0000000001070000-0x00000000010D4000-memory.dmp

          Filesize

          400KB

          Download

        • memory/2304-13-0x0000000074370000-0x0000000074A5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2304-16-0x0000000074370000-0x0000000074A5E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2304-17-0x0000000004B50000-0x0000000004B90000-memory.dmp

          Filesize

          256KB

          Download