Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25-03-2024 15:17
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
2c452681aaf7e08b26eec0c3e5778bd2
-
SHA1
f9a3d4ad1b623f2f52ff60a51c35f5a6817c12f2
-
SHA256
acaa51b406aa9cef4c6ac4d6d57b91b0dd2d07a9f6333b69e742796a367ff010
-
SHA512
c321ff90d512b067ea2c617a07224b6756092318ef3d3175d0c1a00eaa7b9a0cc6976314e00fce4ebec9877d8c4ca8ade23d51e003d3f28317702c57b0541384
-
SSDEEP
49152:evBt62XlaSFNWPjljiFa2RoUYI31LBrTMfxdoGdalTHHB72eh2NT:evr62XlaSFNWPjljiFXRoUYI35BrCq
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
test
C2
192.168.1.42:4782
Mutex
95ad66d9-3637-453f-943d-33d2a2c49feb
Attributes
-
encryption_key
3A52ADE42ED9473E5578959627082144C8887BFE
-
install_name
winreset.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
Boot
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1676-0-0x00000000013A0000-0x00000000016C4000-memory.dmpFilesize
3.1MB
-
memory/1676-1-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/1676-2-0x0000000001310000-0x0000000001390000-memory.dmpFilesize
512KB
-
memory/1676-3-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmpFilesize
9.9MB
-
memory/1676-4-0x0000000001310000-0x0000000001390000-memory.dmpFilesize
512KB