Overview

overview

10

Static

static

10

New.exe

windows10-1703-x64

10

New.exe

windows10-2004-x64

10

New.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    204s
  • max time network
    279s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-05-2024 23:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New.exe

  • Size

    409KB

  • MD5

    cf570b21f42f0ce411b7c9961068931e

  • SHA1

    f92aa688a1dbd64a4585ecfe80a9c2d7f408c57d

  • SHA256

    d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234

  • SHA512

    de9dce8300656cd8531569011d043373193cbda125b738e66a5bf107178b48781d6dc88eea696b2074c352a1bf56a4693cfae62e668993ac24ce18aebfdcd684

  • SSDEEP

    12288:jpyJcC+PgUUboV2hShYoyTyrIh9eqh6bIK+Pz9:9wd+Y2IweyA9eqkMZ

Score
10/10
quasarvideospywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Video

C2

runderscore00-25501.portmap.host:25501

Mutex

$Sxr-oWTh3ZS9htfe80iIl5

Attributes
  • encryption_key

    zK8u0rpHf4TJzGf65Flt

  • install_name

    Win11.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    Windows 11 Boot

  • subdirectory

    Win11

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New.exe
    "C:\Users\Admin\AppData\Local\Temp\New.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sX8tIBvchmaV.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3572
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:2700
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:4496
      • C:\Windows\SysWOW64\SCHTASKS.exe
        "SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST
        2⤵
        • Creates scheduled task(s)
        PID:2540

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\sX8tIBvchmaV.bat
      Filesize

      260B

      MD5

      bcd837a5c3a46e32daa119e4b886595b

      SHA1

      47966e4245a0a88f30d12c266242a6ac4857b8b9

      SHA256

      72741c50a095075cd5e4cd7e47f809fb9fb5f01ef1b06936cf2546df49209bcd

      SHA512

      a17c11c022a84404f3ee0357489ae01702fcf18a40078912d3212db1a5713f2223a413539c85aa84a94d91aabe8b2cc06079b0ba43c8c20c24d9f7f2593a8d99

      Download Submit
    • C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-27-~1
      Filesize

      224B

      MD5

      1e1197daea125fef6f6ab43d7dab2529

      SHA1

      e8f5634b30a6f81085a06f5820dfc8f92185539d

      SHA256

      8f249049044e76a4337b42f5cad12350c5fa31889fea7688990979a0923ba017

      SHA512

      b2096d3702a018783f8495bb1cc54e058a9acc6309222b7b575a7edaf3746870029719b3fe9f1f0670c8c1b8ba348c7bc6ca671378a38523e20dcf146b976f9a

      Download Submit
    • memory/1800-6-0x00000000067D0000-0x00000000067E2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1800-3-0x0000000005980000-0x0000000005A12000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1800-4-0x0000000074700000-0x0000000074EB0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1800-5-0x0000000005A50000-0x0000000005AB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1800-0-0x000000007470E000-0x000000007470F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1800-7-0x0000000006D10000-0x0000000006D4C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1800-9-0x00000000071D0000-0x00000000071DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1800-10-0x000000007470E000-0x000000007470F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1800-11-0x0000000074700000-0x0000000074EB0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1800-2-0x0000000005E20000-0x00000000063C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1800-17-0x0000000074700000-0x0000000074EB0000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/1800-1-0x0000000000F00000-0x0000000000F6C000-memory.dmp
      Filesize

      432KB

      Download