Overview

overview

10

Static

static

3

Pogingenc.exe

windows7-x64

10

Pogingenc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    30/04/2024, 03:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pogingenc.exe

  • Size

    6.0MB

  • MD5

    4d05ea664b21ab95e888f456afa1a7a8

  • SHA1

    b4ddeb5b9c83cd8ff02004f52751d1298212a37c

  • SHA256

    0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

  • SHA512

    05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20

  • SSDEEP

    98304:aBDvEtGdg2pgJTJSCYLCWcpc2tlbWvKUeR+T8u0:aBDt9gJTXYGWcRtlivOA

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes
  • encryption_key

    534734397C0FA9A1D28F061AD75DF4100BFF5787

  • install_name

    Msconfig.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 5 IoCs
  • Executes dropped EXE 2 IoCs
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Pogingenc.exe
    "C:\Users\Admin\AppData\Local\Temp\Pogingenc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2932
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2724
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
      2⤵
        PID:2720
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2740
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
          3⤵
          • Creates scheduled task(s)
          PID:2488
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\Pogingenc.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
        2⤵
          PID:2476
      • C:\Windows\system32\taskeng.exe
        taskeng.exe {776116C9-9C41-49B8-A913-7850802DE16E} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2692
        • C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
          C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:2344
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2784
          • C:\Windows\SysWOW64\cmd.exe
            "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
            3⤵
              PID:1668
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1256
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
                4⤵
                • Creates scheduled task(s)
                PID:1800
            • C:\Windows\SysWOW64\cmd.exe
              "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
              3⤵
                PID:1732
            • C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
              C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
              2⤵
              • Executes dropped EXE
              PID:928

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
            Filesize

            6.0MB

            MD5

            4d05ea664b21ab95e888f456afa1a7a8

            SHA1

            b4ddeb5b9c83cd8ff02004f52751d1298212a37c

            SHA256

            0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

            SHA512

            05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20

            Download Submit

          • memory/2344-24-0x0000000001340000-0x000000000166C000-memory.dmp

            Filesize

            3.2MB

            Download

          • memory/2724-7-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2724-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2724-21-0x0000000074A50000-0x000000007513E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2724-6-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2724-17-0x0000000074A50000-0x000000007513E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2724-14-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2724-12-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2724-16-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2724-10-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2724-9-0x0000000000400000-0x0000000000724000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/2932-0-0x00000000010A0000-0x00000000013CC000-memory.dmp

            Filesize

            3.2MB

            Download

          • memory/2932-3-0x0000000074A50000-0x000000007513E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2932-20-0x0000000074A50000-0x000000007513E000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2932-4-0x0000000000BE0000-0x0000000000C20000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2932-2-0x0000000000BE0000-0x0000000000C20000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2932-1-0x0000000074A50000-0x000000007513E000-memory.dmp

            Filesize

            6.9MB

            Download