Overview

overview

10

Static

static

10

yourcute.exe

windows7-x64

10

yourcute.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-03-2024 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yourcute.exe

  • Size

    3.1MB

  • MD5

    561d2b135a6200ef094b222eb47af87a

  • SHA1

    4db2f2254cae3695a0ffa7ccdc13097db254cd8c

  • SHA256

    c458feb66832df6a0c361d951c60bcda34c4f5c82652d25c5e4a1aa4c41d8d94

  • SHA512

    6bd32a9099968b13150a16ee919684e319a67a55dc436fb36157901528e5ccf0283daecdafd07876186f00af13a3bba170a6328926156578a2c06455772b0094

  • SSDEEP

    49152:mvyI22SsaNYfdPBldt698dBcjHHCy1JcLoGdVWTHHB72eh2NT:mvf22SsaNYfdPBldt6+dBcjHHCv

Score
10/10
quasarslavespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

140.238.91.110:36039

Mutex

df49f69a-66a2-4b6e-bb60-18c12b5b14df

Attributes
  • encryption_key

    6A1671418BB270D703D501AB8E9B41E8D413B6D3

  • install_name

    Client.exe

  • log_directory

    Win64ErrorLogs

  • reconnect_delay

    3000

  • startup_key

    Windows Boot Menu

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\yourcute.exe
    "C:\Users\Admin\AppData\Local\Temp\yourcute.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2556
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Windows Boot Menu" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    2.7MB

    MD5

    c101ba1c585206ab49c95b74423b0e49

    SHA1

    900d74e76968f2a9dd862e6a897667a0b47342ad

    SHA256

    a9895e8144afc423748ba3f0fe99e3a045575af36fed0d3c5f3e2da9cf94244f

    SHA512

    82f00a979cb1f15e8ea385d0b3862bc3f3aac9389d4e1a3b1fb866d78d90aa191bec581b901fdd2aa8284eaa1db78a20da76d32891eeeb0cf89b3e537e4075ad

    Download Submit
  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    1.8MB

    MD5

    641854bf022f7d0cead3b2d0d00b6433

    SHA1

    8221406a7dfda55a2341ecde49196e8765644b8f

    SHA256

    b194c645f147d750b0cb333da8529668398805488bd3aa4b9f372af3ca71a877

    SHA512

    b52cbbad3b33a094b2af75b61e1ea130a8f6cc99f40575e3198f78dc9437e5b705af3b07941a276bea417ba9846c5d9453ca92ea47e32b01e88b25ac2e18ac03

    Download Submit
  • memory/2600-0-0x0000000001160000-0x0000000001484000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2600-1-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2600-2-0x000000001B460000-0x000000001B4E0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2600-11-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2644-8-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2644-9-0x0000000000830000-0x0000000000B54000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2644-10-0x000000001B2E0000-0x000000001B360000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2644-12-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2644-13-0x000000001B2E0000-0x000000001B360000-memory.dmp
    Filesize

    512KB

    Download