Overview

overview

10

Static

static

10

errr.exe

windows10-1703-x64

10

errr.exe

windows10-2004-x64

10

errr.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    99s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/05/2024, 01:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    errr.exe

  • Size

    3.1MB

  • MD5

    ef7a21c06d5bde1ef0979fb8948fb7f7

  • SHA1

    b5f5467ec426b7c68ba6586feea8652023948020

  • SHA256

    424882a2484f8bacc7b3ffa79082ffe1d0f6b074fd2bb2b42b6b724a56332308

  • SHA512

    4c42a031f83a966a61eb0e630cf6600965a6f9366d25704493101405705718c9e5d4b4df8caec5791f5500da0c87c6c74000583cc124dabc4bd8b214666bcf3a

  • SSDEEP

    49152:hvUI22SsaNYfdPBldt698dBcjHFzR160bR3toGdoTHHB72eh2NT:hvZ22SsaNYfdPBldt6+dBcjHFzR16o

Score
10/10
quasarshibaspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Shiba

C2

steel-repairs.gl.at.ply.gg:62743

Mutex

987c652c-2a4e-4c5d-bc39-00c8c0f35c5c

Attributes
  • encryption_key

    A88D7FED7F655EBDC4F99C21BAE5EC62300AADC7

  • install_name

    $sxr-insta.exe

  • log_directory

    $sxr-logs

  • reconnect_delay

    1000

  • startup_key

    $sxr-mstha

  • subdirectory

    $sxr-start

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\errr.exe
    "C:\Users\Admin\AppData\Local\Temp\errr.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3268
    • C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
      "C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4172
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3eUYoy29hYV.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:4180
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:2372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\G3eUYoy29hYV.bat
      Filesize

      219B

      MD5

      35211066e7ba476a15d98b6ca59ee980

      SHA1

      4f099abe89cc85e18e9d5ecf23a1c0a867ddd7c3

      SHA256

      62825a7c733146f3c4b9e013e657441c55f2ff5c9893fef7b40b7ecbcb292bfe

      SHA512

      3ce0b72bcc9864efa1f3397b43bfbdd4ad19b40d13994d812c75d81ea1ce31a024c4811954029e2fc292e70fef8241eb588e4013524b789961b391a5a13fdea5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\$sxr-start\$sxr-insta.exe
      Filesize

      3.1MB

      MD5

      ef7a21c06d5bde1ef0979fb8948fb7f7

      SHA1

      b5f5467ec426b7c68ba6586feea8652023948020

      SHA256

      424882a2484f8bacc7b3ffa79082ffe1d0f6b074fd2bb2b42b6b724a56332308

      SHA512

      4c42a031f83a966a61eb0e630cf6600965a6f9366d25704493101405705718c9e5d4b4df8caec5791f5500da0c87c6c74000583cc124dabc4bd8b214666bcf3a

      Download Submit

    • memory/3268-0-0x00007FFA23E73000-0x00007FFA23E75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3268-1-0x0000000000FC0000-0x00000000012E4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/3268-2-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3268-9-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-11-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-12-0x000000001C080000-0x000000001C0D0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4172-13-0x000000001C190000-0x000000001C242000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4172-16-0x000000001C120000-0x000000001C132000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4172-17-0x000000001CEA0000-0x000000001CEDC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4172-18-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-10-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4172-24-0x00007FFA23E70000-0x00007FFA24932000-memory.dmp

      Filesize

      10.8MB

      Download