Malware Analysis Report

2024-10-19 06:33

Sample ID 240527-2a6r2adc62
Target Token Generator.exe
SHA256 139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
Tags
token gen quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e

Threat Level: Known bad

The file Token Generator.exe was found to be: Known bad.

Malicious Activity Summary

token gen quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 22:23

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 22:23

Reported

2024-05-27 22:30

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Token Generator.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Token Generator.exe

"C:\Users\Admin\AppData\Local\Temp\Token Generator.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe

"C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4836,i,15140928051103392835,1612840580898364401,262144 --variations-seed-version --mojo-platform-channel-handle=3760 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 uk2.localto.net udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp
GB 140.238.91.110:6103 uk2.localto.net tcp

Files

memory/1544-0-0x00007FFCAD333000-0x00007FFCAD335000-memory.dmp

memory/1544-1-0x0000000000740000-0x0000000000A64000-memory.dmp

memory/1544-2-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

C:\Users\Admin\AppData\Roaming\$77-Rootkit\$77-powershell.exe

MD5 6d2ad4ada4961027832e557db06fc08d
SHA1 816018499f5e291850d7dd2a0d15c914e5607630
SHA256 139ce0f6ed1d745a6776f831c641b2b30bb8d48ecd9c198a0b4bd8489899f60e
SHA512 1d99985c99fa16f712eee5604279463e18e77532e7a1586651178685ef38ba25b099c393edc44f2703d7e9f4ce7596b86ba3d9f0e00119e13474816a2186f241

memory/1544-10-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

memory/4972-9-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

memory/4972-11-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp

memory/4972-12-0x000000001BB60000-0x000000001BBB0000-memory.dmp

memory/4972-13-0x000000001BC70000-0x000000001BD22000-memory.dmp

memory/4972-14-0x00007FFCAD330000-0x00007FFCADDF1000-memory.dmp