Analysis Overview
SHA256
0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920
Threat Level: Known bad
The file 0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920 was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Detects .NET executables utilizing NyanX-CAT C# Loader
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables containing common artifacts observed in infostealers
Detects .NET executables utilizing NyanX-CAT C# Loader
Detects Windows executables referencing non-Windows User-Agents
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-14 17:20
Signatures
Detects .NET executables utilizing NyanX-CAT C# Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-14 17:20
Reported
2024-03-14 17:23
Platform
win7-20240220-en
Max time kernel
144s
Max time network
145s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects .NET executables utilizing NyanX-CAT C# Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2340 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe
"C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pentestpenguin-56392.portmap.host | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
Files
memory/2340-0-0x0000000000220000-0x0000000000548000-memory.dmp
memory/2340-1-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2340-2-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
memory/2340-3-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2340-4-0x0000000000BA0000-0x0000000000BE0000-memory.dmp
memory/2340-5-0x0000000004EB0000-0x00000000051D6000-memory.dmp
memory/2600-8-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2600-10-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2600-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-12-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2600-6-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2600-16-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2600-18-0x0000000000400000-0x0000000000724000-memory.dmp
memory/2340-19-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/2600-21-0x0000000000400000-0x0000000000724000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-14 17:20
Reported
2024-03-14 17:23
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects .NET executables utilizing NyanX-CAT C# Loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing common artifacts observed in infostealers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3128 set thread context of 4120 | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe
"C:\Users\Admin\AppData\Local\Temp\0a988680e64eaecc70cd3644925c20c3772f8e12c17652bac6eee2596a03e920.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pentestpenguin-56392.portmap.host | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.134.221.88.in-addr.arpa | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| DE | 193.161.193.99:56392 | pentestpenguin-56392.portmap.host | tcp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
Files
memory/3128-0-0x0000000075200000-0x00000000759B0000-memory.dmp
memory/3128-1-0x00000000007D0000-0x0000000000AF8000-memory.dmp
memory/3128-2-0x0000000005AF0000-0x0000000006094000-memory.dmp
memory/3128-3-0x0000000005540000-0x00000000055D2000-memory.dmp
memory/3128-4-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/3128-5-0x0000000005500000-0x000000000550A000-memory.dmp
memory/3128-6-0x0000000005770000-0x00000000057E6000-memory.dmp
memory/3128-7-0x0000000075200000-0x00000000759B0000-memory.dmp
memory/3128-8-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/3128-9-0x00000000060A0000-0x00000000063C6000-memory.dmp
memory/3128-10-0x0000000005810000-0x000000000582E000-memory.dmp
memory/4120-11-0x0000000000400000-0x0000000000724000-memory.dmp
memory/3128-13-0x0000000075200000-0x00000000759B0000-memory.dmp
memory/4120-14-0x0000000075200000-0x00000000759B0000-memory.dmp
memory/4120-15-0x0000000002E30000-0x0000000002E40000-memory.dmp
memory/4120-16-0x00000000069F0000-0x0000000007008000-memory.dmp
memory/4120-17-0x0000000006580000-0x00000000065D0000-memory.dmp
memory/4120-18-0x00000000067E0000-0x0000000006892000-memory.dmp
memory/4120-19-0x0000000075200000-0x00000000759B0000-memory.dmp
memory/4120-20-0x0000000002E30000-0x0000000002E40000-memory.dmp