Malware Analysis Report

2024-10-19 06:32

Sample ID 240527-3ememafa86
Target New.exe
SHA256 d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234
Tags
video quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0c4045c70a0822806a4e56d7883821cd2c19362f1cfed3bcbdb1e1b8eb15234

Threat Level: Known bad

The file New.exe was found to be: Known bad.

Malicious Activity Summary

video quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Checks computer location settings

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 23:25

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 23:25

Reported

2024-05-27 23:30

Platform

win10v2004-20240426-en

Max time kernel

271s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3XyKTWJLX4Bg.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 runderscore00-25501.portmap.host udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp

Files

memory/432-0-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

memory/432-1-0x0000000000030000-0x000000000009C000-memory.dmp

memory/432-2-0x0000000005030000-0x00000000055D4000-memory.dmp

memory/432-3-0x0000000004BC0000-0x0000000004C52000-memory.dmp

memory/432-4-0x0000000074EC0000-0x0000000075670000-memory.dmp

memory/432-5-0x0000000004AF0000-0x0000000004B56000-memory.dmp

memory/432-6-0x0000000005000000-0x0000000005012000-memory.dmp

memory/432-7-0x0000000005D00000-0x0000000005D3C000-memory.dmp

memory/432-9-0x00000000061C0000-0x00000000061CA000-memory.dmp

memory/432-10-0x0000000074ECE000-0x0000000074ECF000-memory.dmp

memory/432-11-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3XyKTWJLX4Bg.bat

MD5 ce89cf6bd96820c008122f12ae7c9f82
SHA1 f5f593666c2d191f5dba7f0f1d5b3ad1b6116038
SHA256 c89ab7b82dfc29ad9ded2494f6e33c35270917d607fd0540d3fc9cecb7ed8348
SHA512 02b5b0957200a1ca9a6a15072d4f607db06c42c12acde30d8698e1d7055fdd1131a2591e47b3ce0e9d9c6718c4f08178d49043c40e0e67282ba8090d3b9a613f

memory/432-17-0x0000000074EC0000-0x0000000075670000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-27-~1

MD5 dfcbdef06c720514af8e8b63c2e48878
SHA1 7ee7489cdc298005b41d29c12f337c0e1444a662
SHA256 ef2a64128a7d97ed575b2a2647092292286bcefb4d87cee822792e30b623af88
SHA512 376056467e26d47b02d7b20f9472f617eea4d69a44d639aaf4de47fa413e352b5501368ad0eaf0bb9123bdd60b8d23e9f86d1fab3dda0872b77274c1c438b393

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 23:25

Reported

2024-05-27 23:30

Platform

win11-20240426-en

Max time kernel

212s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\New.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\New.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\New.exe

"C:\Users\Admin\AppData\Local\Temp\New.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1Pu4kK0nZ1GL.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\SCHTASKS.exe

"SCHTASKS.exe" /create /tn "$77New.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\New.exe'" /sc onlogon /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
US 52.111.229.43:443 tcp
DE 193.161.193.99:25501 runderscore00-25501.portmap.host tcp
GB 20.26.156.215:443 github.com tcp

Files

memory/2740-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/2740-1-0x0000000000C50000-0x0000000000CBC000-memory.dmp

memory/2740-2-0x0000000005C60000-0x0000000006206000-memory.dmp

memory/2740-3-0x00000000056B0000-0x0000000005742000-memory.dmp

memory/2740-4-0x00000000744B0000-0x0000000074C61000-memory.dmp

memory/2740-5-0x0000000005750000-0x00000000057B6000-memory.dmp

memory/2740-6-0x0000000006350000-0x0000000006362000-memory.dmp

memory/2740-7-0x00000000068A0000-0x00000000068DC000-memory.dmp

memory/2740-9-0x0000000006D60000-0x0000000006D6A000-memory.dmp

memory/2740-10-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/2740-11-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1Pu4kK0nZ1GL.bat

MD5 2dedd42362a90a721d4700553de023ed
SHA1 e3974c125cdbe411a0110207b40723854bbd0c90
SHA256 df2b5669f1f564df5f4929c415c5ee5d9eb4c09a474b44230a8bd3ce5b712445
SHA512 cb46389bf7a7faa19a362f62fe99e670118a4898a303f3eb8ee8f3602e7a73e41ffc22476a9f979fcf3ce55ef6594a95d0e059902f597f23482d6225765ff948

memory/2740-17-0x00000000744B0000-0x0000000074C61000-memory.dmp

C:\Users\Admin\AppData\Roaming\$sxr-Logs\05-27-~1

MD5 c906612cf0067cbc9d22ea083cac6bae
SHA1 44df01af9e4b23396c6c7a224f24834a34bcf69a
SHA256 d83e7c884a32ef8cdc29692d253f196201a430caaa3407b4a296c02bc5a9a66e
SHA512 266e2c5aa2b041c45d91cd91f2bcc008059275a39949c5dbb15c4142a7153ae84e548d6cf988818252fb5d5e7fd374b4e57fc1a0c5e5b94d765360b2867b99c0