Malware Analysis Report

2024-10-23 17:12

Sample ID 240512-qefwmaga6x
Target Rat.exe
SHA256 28174e01123c6a52e6d47655dfa108384a81d0cccdbd94843689ba08be928453
Tags
quasar 1 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28174e01123c6a52e6d47655dfa108384a81d0cccdbd94843689ba08be928453

Threat Level: Known bad

The file Rat.exe was found to be: Known bad.

Malicious Activity Summary

quasar 1 spyware trojan

Quasar payload

Quasar RAT

Quasar family

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-12 13:10

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-12 13:10

Reported

2024-05-12 13:11

Platform

win10v2004-20240508-en

Max time kernel

43s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 170.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.170:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
N/A 192.168.178.159:4782 tcp
N/A 192.168.178.159:4782 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp

Files

memory/1668-0-0x00007FFE83653000-0x00007FFE83655000-memory.dmp

memory/1668-1-0x0000000000970000-0x0000000000C94000-memory.dmp

memory/1668-2-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 9fb2e5556886a91ed7805b9d835defd2
SHA1 4b54c11066f327c76f09b8de64715fee3f02fd34
SHA256 28174e01123c6a52e6d47655dfa108384a81d0cccdbd94843689ba08be928453
SHA512 e9dd5e7b7c0ff5406ca23c17bf6451c717391b0f8fc5ff54809ed552b41a1e7d71bbd6128cbf570976b2a48299cc72625d6d485960256009df33a6d80810ba54

memory/1668-9-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/5096-10-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/5096-11-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

memory/5096-12-0x000000001BC20000-0x000000001BC70000-memory.dmp

memory/5096-13-0x000000001BD30000-0x000000001BDE2000-memory.dmp

memory/5096-14-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-12 13:10

Reported

2024-05-12 13:11

Platform

win11-20240426-en

Max time kernel

34s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.178.159:4782 tcp
N/A 192.168.178.159:4782 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3308-0-0x00007FFF0D8F3000-0x00007FFF0D8F5000-memory.dmp

memory/3308-1-0x0000000000B30000-0x0000000000E54000-memory.dmp

memory/3308-2-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 9fb2e5556886a91ed7805b9d835defd2
SHA1 4b54c11066f327c76f09b8de64715fee3f02fd34
SHA256 28174e01123c6a52e6d47655dfa108384a81d0cccdbd94843689ba08be928453
SHA512 e9dd5e7b7c0ff5406ca23c17bf6451c717391b0f8fc5ff54809ed552b41a1e7d71bbd6128cbf570976b2a48299cc72625d6d485960256009df33a6d80810ba54

memory/3948-10-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3308-9-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3948-11-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

memory/3948-12-0x000000001B7D0000-0x000000001B820000-memory.dmp

memory/3948-13-0x000000001C310000-0x000000001C3C2000-memory.dmp

memory/3948-14-0x00007FFF0D8F0000-0x00007FFF0E3B2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-12 13:10

Reported

2024-05-12 13:11

Platform

win10-20240404-en

Max time kernel

29s

Max time network

37s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Rat.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Rat.exe

"C:\Users\Admin\AppData\Local\Temp\Rat.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.178.159:4782 tcp
N/A 192.168.178.159:4782 tcp

Files

memory/3220-0-0x00007FF80AF13000-0x00007FF80AF14000-memory.dmp

memory/3220-1-0x0000000000120000-0x0000000000444000-memory.dmp

memory/3220-2-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 9fb2e5556886a91ed7805b9d835defd2
SHA1 4b54c11066f327c76f09b8de64715fee3f02fd34
SHA256 28174e01123c6a52e6d47655dfa108384a81d0cccdbd94843689ba08be928453
SHA512 e9dd5e7b7c0ff5406ca23c17bf6451c717391b0f8fc5ff54809ed552b41a1e7d71bbd6128cbf570976b2a48299cc72625d6d485960256009df33a6d80810ba54

memory/3220-9-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/4372-10-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/4372-11-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp

memory/4372-12-0x000000001BAC0000-0x000000001BB10000-memory.dmp

memory/4372-13-0x000000001BBD0000-0x000000001BC82000-memory.dmp

memory/4372-14-0x00007FF80AF10000-0x00007FF80B8FC000-memory.dmp