Overview

overview

10

Static

static

10

34bb0abcb4...40.exe

windows7-x64

10

34bb0abcb4...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 00:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe

  • Size

    3.1MB

  • MD5

    483d0a45f61e108b7a89c6707e138d62

  • SHA1

    da16e84ef741a6a82038468da5990b25e3bf751c

  • SHA256

    34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40

  • SHA512

    5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492

  • SSDEEP

    49152:Wvxt62XlaSFNWPjljiFa2RoUYIiyTCD8foGdIoTHHB72eh2NT:Wv762XlaSFNWPjljiFXRoUYIiyTCc

Score
10/10
quasarbeamed celexspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Beamed Celex

C2

192.168.2.102:5145

Nixon:5145
Mutex

a9d8efa6-449f-415c-bad7-c7fbd83156d2

Attributes
  • encryption_key

    288C4AC276CDC9ADD45AEABDE642A8A88681F7BB

  • install_name

    Celex.exe

  • log_directory

    Logs

  • reconnect_delay

    1

  • startup_key

    Celex

  • subdirectory

    Celex

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 6 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe
    "C:\Users\Admin\AppData\Local\Temp\34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:3708
    • C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
      "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4244
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:5024
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Y8CQis3wSVyx.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:3828
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:4420
          • C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
            "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\SYSTEM32\schtasks.exe
              "schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:4500
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9dnPl84w36B9.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1996
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2272
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:2568
                • C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
                  "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:4372
                  • C:\Windows\SYSTEM32\schtasks.exe
                    "schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
                    7⤵
                    • Creates scheduled task(s)
                    PID:1608
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miXjyljK3KEk.bat" "
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4052
                    • C:\Windows\system32\chcp.com
                      chcp 65001
                      8⤵
                        PID:4304
                      • C:\Windows\system32\PING.EXE
                        ping -n 10 localhost
                        8⤵
                        • Runs ping.exe
                        PID:3816
                      • C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
                        "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
                        8⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1756
                        • C:\Windows\SYSTEM32\schtasks.exe
                          "schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
                          9⤵
                          • Creates scheduled task(s)
                          PID:2408
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pbEtdbodxnkO.bat" "
                          9⤵
                          • Suspicious use of WriteProcessMemory
                          PID:4208
                          • C:\Windows\system32\chcp.com
                            chcp 65001
                            10⤵
                              PID:1588
                            • C:\Windows\system32\PING.EXE
                              ping -n 10 localhost
                              10⤵
                              • Runs ping.exe
                              PID:1004
                            • C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
                              "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe"
                              10⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:4580
                              • C:\Windows\SYSTEM32\schtasks.exe
                                "schtasks" /create /tn "Celex" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Celex\Celex.exe" /rl HIGHEST /f
                                11⤵
                                • Creates scheduled task(s)
                                PID:4604

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Celex.exe.log
            Filesize

            2KB

            MD5

            8f0271a63446aef01cf2bfc7b7c7976b

            SHA1

            b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

            SHA256

            da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

            SHA512

            78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\9dnPl84w36B9.bat
            Filesize

            205B

            MD5

            7899430c6f6b10f84c891b62dd754a3a

            SHA1

            7a471a89a4ff53dbeee46cb8a43f29cb8c44a360

            SHA256

            93ebfe5362b68c9d6637d4cca57169c42dd7cc9c793fdf935676ac04ff2e4433

            SHA512

            8e56fa8732ba7615d8af8ccd5271f57949885e5824b43538496eaa01580eb493b83b256a2fb8595609796e29a6d0382f071a2e6a773513f301b20ff36c88f94c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Y8CQis3wSVyx.bat
            Filesize

            205B

            MD5

            607ca8f3a9a2b08f9d883ce486d87e9a

            SHA1

            1b4291606eb6121758017e877f5b9ae87b36f253

            SHA256

            033815ad10777b7b068156312799a2702e16986cac934c1e07396bc2a1e0a466

            SHA512

            a2165f5060d3fdf1c57fe3bf7ad2047b481dcf5baed5fe77865ff81403422239c668cfc52e2f99a54eef58d33f19c28d286b5ecc84fdd189460c73eea43c0b04

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\miXjyljK3KEk.bat
            Filesize

            205B

            MD5

            0bedfe26ea41c97a17bb488d0de39d98

            SHA1

            12d414e06d56d3bb1303a9181aa2ef690569d672

            SHA256

            a7d0e8f03b57d0627433011a139227f8574b37ed658bb24dd064529a3db36514

            SHA512

            828bc7f0de22ba056496efdaa7ea92f0d55d9d682934caf7bfaad04a72b621fd61ab47e9119f66d5b5e820701597a574146a06c02eb8be14445be4fa2a503a8c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\pbEtdbodxnkO.bat
            Filesize

            205B

            MD5

            3489e6ecfef6e91ee1a8ce4fe9c28765

            SHA1

            d466bdaf73bc9dea5e2f9a3b003027fa1f0c65d9

            SHA256

            456e0dc54c67802accd1d02ec790f2d34f1228d4441bacbf87da56613b5a11ce

            SHA512

            11817625b6e1e2f4f97a46e4589157e2092deef5aa83faafc519fa4bebbead47d98c8ba5dba3257c6585465aa27f6a4fd442252035d7bdf5dfa74d63460172ee

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Celex\Celex.exe
            Filesize

            3.1MB

            MD5

            483d0a45f61e108b7a89c6707e138d62

            SHA1

            da16e84ef741a6a82038468da5990b25e3bf751c

            SHA256

            34bb0abcb4e25933c6c2317944d183e40a25175f808c990b59b49fb2b0448c40

            SHA512

            5c6da715cdafda98a37b6eaa455d5c12148b1048f5e038f9482d0f51f5e247cf75ff1c8439d3a75b6f674daa843a8ecd21aab23663b6bdd6bc7bac0fce606492

            Download Submit
          • memory/952-1-0x0000000000970000-0x0000000000C94000-memory.dmp
            Filesize

            3.1MB

            Download
          • memory/952-2-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/952-0-0x00007FF816413000-0x00007FF816415000-memory.dmp
            Filesize

            8KB

            Download
          • memory/952-8-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4244-9-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4244-19-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4244-13-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4244-12-0x000000001BF70000-0x000000001C022000-memory.dmp
            Filesize

            712KB

            Download
          • memory/4244-11-0x000000001BE60000-0x000000001BEB0000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4244-10-0x00007FF816410000-0x00007FF816ED1000-memory.dmp
            Filesize

            10.8MB

            Download