Analysis Overview
SHA256
d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Checks computer location settings
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 17:49
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 17:49
Reported
2024-04-07 17:50
Platform
win7-20240221-en
Max time kernel
79s
Max time network
84s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
Files
memory/2176-0-0x00000000013B0000-0x00000000016D4000-memory.dmp
memory/2176-1-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
memory/2176-2-0x000000001B310000-0x000000001B390000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 145193333e64b74823c421d26f035480 |
| SHA1 | f9919b3e81793fc5ccfb48dff30606c08523361c |
| SHA256 | d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa |
| SHA512 | 353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a |
memory/2612-7-0x0000000000870000-0x0000000000B94000-memory.dmp
memory/2176-8-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
memory/2612-9-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
memory/2612-10-0x000000001AF20000-0x000000001AFA0000-memory.dmp
memory/2612-11-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp
memory/2612-12-0x000000001AF20000-0x000000001AFA0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 17:49
Reported
2024-04-07 17:49
Platform
win10v2004-20240226-en
Max time kernel
37s
Max time network
38s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\SubDir\Client.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 2.tcp.eu.ngrok.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "54" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\shutdown.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2656 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2656 wrote to memory of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2656 wrote to memory of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\SubDir\Client.exe |
| PID 2656 wrote to memory of 3752 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\SubDir\Client.exe |
| PID 3752 wrote to memory of 984 | N/A | C:\Windows\system32\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3752 wrote to memory of 984 | N/A | C:\Windows\system32\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3752 wrote to memory of 3260 | N/A | C:\Windows\system32\SubDir\Client.exe | C:\Windows\System32\shutdown.exe |
| PID 3752 wrote to memory of 3260 | N/A | C:\Windows\system32\SubDir\Client.exe | C:\Windows\System32\shutdown.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39bd055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.tcp.eu.ngrok.io | udp |
| DE | 3.127.138.57:16096 | 2.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 57.138.127.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
memory/2656-0-0x0000000000690000-0x00000000009B4000-memory.dmp
memory/2656-1-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp
memory/2656-2-0x0000000001200000-0x0000000001210000-memory.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 145193333e64b74823c421d26f035480 |
| SHA1 | f9919b3e81793fc5ccfb48dff30606c08523361c |
| SHA256 | d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa |
| SHA512 | 353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a |
memory/3752-9-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp
memory/2656-8-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp
memory/3752-10-0x000000001B180000-0x000000001B190000-memory.dmp
memory/3752-11-0x000000001AFA0000-0x000000001AFF0000-memory.dmp
memory/3752-12-0x000000001B940000-0x000000001B9F2000-memory.dmp
memory/3752-15-0x000000001B130000-0x000000001B142000-memory.dmp
memory/3752-16-0x000000001B8C0000-0x000000001B8FC000-memory.dmp
memory/3752-17-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp
memory/3752-19-0x000000001B180000-0x000000001B190000-memory.dmp
memory/3752-18-0x000000001B180000-0x000000001B190000-memory.dmp
memory/3752-20-0x000000001B180000-0x000000001B190000-memory.dmp
memory/3752-22-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp