Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
26-05-2024 11:06
General
-
Target
test.exe
-
Size
3.1MB
-
MD5
700acd73a0f2f3e9372fe0e60f95576f
-
SHA1
efc3b03207b3e5a999d772fd7c11fb5b69977ebc
-
SHA256
10dfcd3ab03dcecb05d6f4b28dbd7a4070341783b8f5453b9af3bc6b9b77a104
-
SHA512
a390e1b463d658beb17d9bc21e9e77f00e1dbe6dd0fc134ba682343d3a90c5a6535999aebafd1e2bad5bc319fa92072bb5efabff49878bd06d1cfee030a9db75
-
SSDEEP
49152:3vGlL26AaNeWgPhlmVqvMQ7XSKpJxNESE7k/iTLoGdoPTHHB72eh2NT:3vGL26AaNeWgPhlmVqkQ7XSKHx+f4
Malware Config
Extracted
quasar
1.4.1
Office04
bin-inspections.gl.at.ply.gg:64055
536deaa9-57d2-448a-ae01-b604426d7fa6
-
encryption_key
DBB529B3F56F6D23695F8D7AC9BA28484A0D6D0F
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\61ITeFprNIya.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\61ITeFprNIya.batFilesize
205B
MD5e37553d34e252575ce315a51a1ed227b
SHA1ec5a4a74f0e322fb5ee669cd35815b58d5e1d470
SHA2560f330a36353b15e40514123a237ec35146b02e6e62cc4a7c95dc49d05b42f1d0
SHA5126ae7380c57d01fef9881b7c70587c17e0f96bb597df6e84954a30478229582f789e195066db3ad571ac7e52f0f62b629acded22efad856b2ded6a48e7aedea9b
-
memory/2628-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/2628-1-0x0000000000570000-0x0000000000894000-memory.dmpFilesize
3.1MB
-
memory/2628-2-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/2628-3-0x000000001B920000-0x000000001B970000-memory.dmpFilesize
320KB
-
memory/2628-4-0x000000001BA30000-0x000000001BAE2000-memory.dmpFilesize
712KB
-
memory/2628-7-0x000000001B9D0000-0x000000001B9E2000-memory.dmpFilesize
72KB
-
memory/2628-8-0x000000001C330000-0x000000001C36C000-memory.dmpFilesize
240KB
-
memory/2628-9-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmpFilesize
8KB
-
memory/2628-10-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB
-
memory/2628-15-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmpFilesize
10.8MB