Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    93s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19-05-2024 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    22100cc98b67f5dcb53996c6e159307e

  • SHA1

    c52c5993155d25849412f7e0aad949982b79e184

  • SHA256

    8d2791e3b86cbe959a01b8394dc1b1a469e8bc2263088f0ebd14db7b123a3fa8

  • SHA512

    e177d46a50715a15a569cacced329e1076363a93ba0a60e816e0faef0d71745df5a8185409f536d773dfcae664bcccd3e883cb7959c3e0e0b5a18085ab5b29e0

  • SSDEEP

    49152:3vDI22SsaNYfdPBldt698dBcjHueA3har7QoGd29JTHHB72eh2NT:3v822SsaNYfdPBldt6+dBcjHg3h

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.2.106:4782

Mutex

fe4290a2-c368-468a-8c1f-b36f1774e2d7

Attributes
  • encryption_key

    6FC043E55EFEB9F593029AF4D1E1023ED290CDEE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    22100cc98b67f5dcb53996c6e159307e

    SHA1

    c52c5993155d25849412f7e0aad949982b79e184

    SHA256

    8d2791e3b86cbe959a01b8394dc1b1a469e8bc2263088f0ebd14db7b123a3fa8

    SHA512

    e177d46a50715a15a569cacced329e1076363a93ba0a60e816e0faef0d71745df5a8185409f536d773dfcae664bcccd3e883cb7959c3e0e0b5a18085ab5b29e0

    Download Submit

  • memory/2424-10-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2424-11-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2424-12-0x000000001B2E0000-0x000000001B330000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2424-13-0x000000001BD70000-0x000000001BE22000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2424-14-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2424-15-0x000000001C8B0000-0x000000001CDD8000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/3876-0-0x00007FF97A033000-0x00007FF97A035000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3876-1-0x0000000000F50000-0x0000000001274000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3876-2-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3876-9-0x00007FF97A030000-0x00007FF97AAF2000-memory.dmp

    Filesize

    10.8MB

    Download