Malware Analysis Report

2025-04-13 12:14

Sample ID 240330-cgl9jaef9x
Target Hunters Cheeto.exe
SHA256 f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
Tags
spoofer quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c

Threat Level: Known bad

The file Hunters Cheeto.exe was found to be: Known bad.

Malicious Activity Summary

spoofer quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 02:02

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 02:02

Reported

2024-03-30 02:05

Platform

win7-20240221-en

Max time kernel

130s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe

"C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe

"C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.9:4782 tcp
US 47.13.251.179:4782 tcp
N/A 192.168.1.9:4782 tcp
US 47.13.251.179:4782 tcp
N/A 192.168.1.9:4782 tcp
US 47.13.251.179:4782 tcp

Files

memory/2484-0-0x0000000000290000-0x00000000005B4000-memory.dmp

memory/2484-1-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2484-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe

MD5 7564f035316f6099b1ef442c007fb351
SHA1 6f4530ab0c6d42632a6be94d1d670e0ae5da4f1d
SHA256 f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
SHA512 23d74bdaab5a8916a7d7f5dd3a95b92774a93897f3be6d7021be92974400cd1c2bea90de3ff258bc9fbef4e6ef261bf79de6cde795f1f86a871c00c5b034f1e9

memory/2484-8-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2552-9-0x0000000001340000-0x0000000001664000-memory.dmp

memory/2552-10-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2552-11-0x000000001B110000-0x000000001B190000-memory.dmp

memory/2552-13-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2476-14-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2476-15-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2552-16-0x000000001B110000-0x000000001B190000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 02:02

Reported

2024-03-30 02:05

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe

"C:\Users\Admin\AppData\Local\Temp\Hunters Cheeto.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe

"C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "AMD" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
N/A 192.168.1.9:4782 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 47.13.251.179:4782 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
N/A 192.168.1.9:4782 tcp
US 8.8.8.8:53 19.134.221.88.in-addr.arpa udp
US 47.13.251.179:4782 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 192.168.1.9:4782 tcp
US 47.13.251.179:4782 tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

memory/5004-0-0x0000000000940000-0x0000000000C64000-memory.dmp

memory/5004-1-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

memory/5004-2-0x0000000002D50000-0x0000000002D60000-memory.dmp

C:\Users\Admin\AppData\Roaming\AMD\Graphics.exe

MD5 7564f035316f6099b1ef442c007fb351
SHA1 6f4530ab0c6d42632a6be94d1d670e0ae5da4f1d
SHA256 f26e49e9ee43830c241200161ca59ddec1ac840745ce73a3d9163c190f41824c
SHA512 23d74bdaab5a8916a7d7f5dd3a95b92774a93897f3be6d7021be92974400cd1c2bea90de3ff258bc9fbef4e6ef261bf79de6cde795f1f86a871c00c5b034f1e9

memory/5004-9-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

memory/4876-10-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp

memory/4876-11-0x000000001BC80000-0x000000001BC90000-memory.dmp

memory/4876-12-0x000000001C3D0000-0x000000001C420000-memory.dmp

memory/4876-13-0x000000001C4E0000-0x000000001C592000-memory.dmp

memory/4876-14-0x00007FFFCCF50000-0x00007FFFCDA11000-memory.dmp