Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
11/03/2024, 17:28
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
8a0a8b83da8dbe8dfb6dae64556d39d7
-
SHA1
d3dd4e87ea883b4084240b923f2f80c9aadfed14
-
SHA256
eb46d0e15cd35a1864d8937e2d4df8943db939ee477e9966abe21697c5cd15bf
-
SHA512
6b268804a5811dfaa4476b40097c7edab76484859ac2fdfa387d94ee78ac9d9998da9eb5163495085e16ccf60f1842a895cc4c58be3faae5a5241631ad9863c7
-
SSDEEP
49152:/vRuf2NUaNmwzPWlvdaKM7ZxTwD3RJ6CbR3LoGdjQxTHHB72eh2NT:/vsf2NUaNmwzPWlvdaB7ZxTwD3RJ68
Malware Config
Extracted
quasar
1.4.1
GetRatted
uk2.localto.net:443
uk2.localto.net:32941
uk2.localto.net:4782
994c2285-849b-4fdc-b619-27d9587c3b49
-
encryption_key
7AE765C52213CCEA26FAE79A12777B2DAB755385
-
install_name
Minecraft.exe
-
log_directory
Steam WebHelper
-
reconnect_delay
3000
-
startup_key
Steam WebHelper
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam WebHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Minecraft.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Minecraft.exe"C:\Users\Admin\AppData\Roaming\SubDir\Minecraft.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam WebHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Minecraft.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58a0a8b83da8dbe8dfb6dae64556d39d7
SHA1d3dd4e87ea883b4084240b923f2f80c9aadfed14
SHA256eb46d0e15cd35a1864d8937e2d4df8943db939ee477e9966abe21697c5cd15bf
SHA5126b268804a5811dfaa4476b40097c7edab76484859ac2fdfa387d94ee78ac9d9998da9eb5163495085e16ccf60f1842a895cc4c58be3faae5a5241631ad9863c7
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
512KB
-
Filesize
9.9MB
-
Filesize
512KB