Analysis

  • max time kernel
    141s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-04-2024 15:27

General

  • Target

    2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe

  • Size

    4.7MB

  • MD5

    bc03059f709594662ca9f9f0e33bc7bd

  • SHA1

    b7dc7b3175d7d99714280629c232788f7a7b8e18

  • SHA256

    5855aec848037736bc17bb493f326b5354022bba6c3767755dc8a415adc34e2d

  • SHA512

    60e44dd84172edb91e0d17b9cdd6feadc81502667c0316c7c5bd760d425e667cf2b05e648f7d68aead2911cd4dd28775866cea7e96101fd1514bb183f8514dac

  • SSDEEP

    98304:yCu0aTxAvr22SsaNYfdPBldt6+dBcjHtKRJ6BrIbzZ6IbzZR:TaN+M7jGI0Hj

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

mx5.deitie.asia:4495

Mutex

ebbf737a-dddd-43dd-9b0a-74831302455d

Attributes
  • encryption_key

    F8516D89A1DFD78BD8FF575BBC3AE828B47FF0E1

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects executables containing common artifacts observed in infostealers 2 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-16_bc03059f709594662ca9f9f0e33bc7bd_icedid_xrat.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\sign.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3480
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:3652
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe

      Filesize

      3.1MB

      MD5

      7498d554976744dfbd271ba755c6c192

      SHA1

      ec733d01e776518e387d2f51d1a6559b81f03b1e

      SHA256

      44089202623b9671051aa5bba5e72f81f68ce818c3054dde57726aaa6dcb9ff7

      SHA512

      d4e987d0e6235001fac4ae3a634e8fe98c6830e26a6a6876fbc36262842688d3ec301cff75003d2af695cdfd357ac50919946695b7d5d3293ebcba97153e1030

    • memory/2300-14-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-15-0x000000001BD60000-0x000000001BD70000-memory.dmp

      Filesize

      64KB

    • memory/2300-16-0x000000001BC80000-0x000000001BCD0000-memory.dmp

      Filesize

      320KB

    • memory/2300-17-0x000000001C990000-0x000000001CA42000-memory.dmp

      Filesize

      712KB

    • memory/2300-18-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

      Filesize

      10.8MB

    • memory/2300-19-0x000000001BD60000-0x000000001BD70000-memory.dmp

      Filesize

      64KB

    • memory/2532-4-0x0000000000D20000-0x0000000001044000-memory.dmp

      Filesize

      3.1MB

    • memory/2532-5-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

      Filesize

      10.8MB

    • memory/2532-6-0x0000000001830000-0x0000000001840000-memory.dmp

      Filesize

      64KB

    • memory/2532-13-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

      Filesize

      10.8MB