Analysis
-
max time kernel
26s -
max time network
27s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
19-05-2024 20:58
Errors
General
-
Target
python-3.12.3-amd64_protected.exe
-
Size
8.6MB
-
MD5
328626049b23e7d5fbe12f9503853d53
-
SHA1
402ca69107944196f421a16ce3be363a0f4e991c
-
SHA256
96eb67eaf4d600885d149701f7b720f004a1646775a179e77e8706762405e921
-
SHA512
5425ef358018a66977e711bfa2a794c725bd153df5989cae52419115c981ce94cc15b6ae826c42d786aa3363151d9c051ae53407ab5e07fcc7365ef054b03c91
-
SSDEEP
196608:VGjSZs4BJq1Ey1FJrMwM/RAWOY+3uWjNyWte7c:VXZsI0F5MYYjWjM7c
Malware Config
Extracted
quasar
1.4.1
Python
5.39.43.50:1488
393fbc9d-531f-4025-b3f0-bed4d56f6ed3
-
encryption_key
1E01F0D74E189002EDB2FABC8EC064751C9D7A63
-
install_name
Python.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Python3
-
subdirectory
Python3
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 6 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\python-3.12.3-amd64_protected.exe"C:\Users\Admin\AppData\Local\Temp\python-3.12.3-amd64_protected.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Python3" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Python3\Python.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\Python3\Python.exe"C:\Users\Admin\AppData\Roaming\Python3\Python.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Python3" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Python3\Python.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\shutdown.exe"C:\Windows\System32\shutdown.exe" /s /t 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3aed055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Python3\Python.exeFilesize
8.6MB
MD5328626049b23e7d5fbe12f9503853d53
SHA1402ca69107944196f421a16ce3be363a0f4e991c
SHA25696eb67eaf4d600885d149701f7b720f004a1646775a179e77e8706762405e921
SHA5125425ef358018a66977e711bfa2a794c725bd153df5989cae52419115c981ce94cc15b6ae826c42d786aa3363151d9c051ae53407ab5e07fcc7365ef054b03c91
-
memory/1640-15-0x0000000006680000-0x000000000668A000-memory.dmpFilesize
40KB
-
memory/1640-11-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/1640-14-0x0000000006080000-0x0000000006112000-memory.dmpFilesize
584KB
-
memory/1640-6-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-5-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-4-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-7-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-8-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-10-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-1-0x0000000077016000-0x0000000077017000-memory.dmpFilesize
4KB
-
memory/1640-12-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/1640-13-0x0000000006140000-0x000000000663E000-memory.dmpFilesize
5.0MB
-
memory/1640-3-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-0-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/1640-2-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-22-0x0000000077000000-0x00000000770D0000-memory.dmpFilesize
832KB
-
memory/1640-24-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-41-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-27-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-28-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-29-0x0000000006CC0000-0x00000000072C6000-memory.dmpFilesize
6.0MB
-
memory/4192-23-0x0000000000400000-0x0000000001A14000-memory.dmpFilesize
22.1MB
-
memory/4192-31-0x0000000007630000-0x00000000076E2000-memory.dmpFilesize
712KB
-
memory/4192-35-0x0000000008170000-0x00000000081AE000-memory.dmpFilesize
248KB
-
memory/4192-36-0x00000000081E0000-0x0000000008246000-memory.dmpFilesize
408KB
-
memory/4192-34-0x0000000007EC0000-0x0000000007ED2000-memory.dmpFilesize
72KB
-
memory/4192-30-0x0000000007440000-0x0000000007490000-memory.dmpFilesize
320KB