Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-05-2024 14:51
General
-
Target
baritone.exe
-
Size
502KB
-
MD5
bf1f011e9664823aeb1c386eeb9e5c90
-
SHA1
3a15112a330446b895811549a857d0d92763cf1a
-
SHA256
412693c6a8fa7142d55bdca7f0473ba66582155399b49f7eacee55f4d78dfd7a
-
SHA512
584dfe97edefc6c8f8d96a3589fbf84701846a16f6c71625772c3a56763bb51303c476c808f9e68c55899f5e61ee2a98f7805f54703b62838b8cc9b65715bb44
-
SSDEEP
6144:NTEgdc0YxXAGbgiIN2RSBDuZnqUBlh/eKTFwQHocEAAb8F98IHsyzMcTR3u:NTEgdfYtbgvuIA5FwQj+HyzMcdu
Malware Config
Extracted
quasar
1.4.0
infectado
elpepemanca.ddns.net:3440
192.168.0.14:3440
2d163b2b-eaf2-4077-9c9f-de0b77680d93
-
encryption_key
82A217D42F0FCA4A09032979DC25A2A7FD7E9698
-
install_name
explorer.exe
-
log_directory
crash_report
-
reconnect_delay
3000
-
startup_key
explorer.exe
-
subdirectory
windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 10 IoCs
-
Executes dropped EXE 16 IoCs
-
Drops file in System32 directory 33 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 15 IoCs
-
Suspicious use of AdjustPrivilegeToken 17 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\baritone.exe"C:\Users\Admin\AppData\Local\Temp\baritone.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QC9xjLs41zjq.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\IhjBepQV3P2b.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\2WDIH3Dcdu3l.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\vci9OhXmrwAj.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3eiRMPRTnoe1.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\mjO4ArB37AiE.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xO93c3M7GdFV.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\0txJM9jyBxCS.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\CI0AP1NCXYK5.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\o9u5RY1jw1GG.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\ZPdhGLwdXWaK.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\keW6G087wMno.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\DQCkABatEuKt.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"28⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\QGa1taBqcDav.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"30⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\cWv8Fpn8yQOZ.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
-
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"32⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
199B
MD595809f975cfb497271de8fe79d45e945
SHA13c1c83c559f37742f2b53b263c3a02ea1ba79f7a
SHA256839e297a7a89dba19fff46505baccb447601c32483eb11f6db343d7ed94b605b
SHA5125eeb1579e08129514fafc8819df4de96b2553378c22814d46e039a643431481f7a45e6bce3f3d00025c2ef182b92273e546fb3e233d896c2601e1aa164c6025f
-
Filesize
199B
MD512f74db4c4e4e7fc11a62aac8885f499
SHA175d9146eddc3a716a8b94f578e06466d37c5d988
SHA256bfb119d99e254ef485362dbf1573a963a15a0960d55c85df6fdcd68c18134e68
SHA5121ab9db4ac4213ef70c79434b855a59816ce34da5618f2746373a8b3b72e0781636ccff09b343dcaa71b5ef5286dbbe869fcba299419deec46ad5fd689ff6fa59
-
Filesize
199B
MD553e5f28121b3efc1e8e814c38f8ced9b
SHA138f8ed2f4224cb05a6369fd6df15bb7b8c072090
SHA2566684f39d84caafcdf62a6ad306d5b0aa6af72da04ae2b162d8d3caeca0487123
SHA5127750ab275d3eb7e90fbf4bf23e1c3ffe7511a5281bd8a45fd6905d80544c971d94d1b2ad4d08fa12e4416c92647286f75ebea515d655e9a906239b322fd470c9
-
Filesize
199B
MD5150c0d5985bc3aadd2c7cbe6e89ec682
SHA10b4abeeb8f79cc2ecfa89f3cecfb93d929599cb5
SHA256d8f184c5b2d685211cc554b509efdf55f1178963a03ca55c49e39e2e1608007a
SHA5129c72d7761e5115046d96057a3c4adad5b68b4595becbdb28e2db9ac6a15fab8a467c3f2a238371e287f46fdc434a660593d634fadd6255822c8664a3c45138d1
-
Filesize
199B
MD5349f7e7b227866772ea3159c7cf79a58
SHA1df2781dad1d1bca53a9fa71855e0eda10e1c2ecc
SHA256d69194be5681cb3aaae1773b269857e1ffd8ce95308621d60905de6714b3b878
SHA51243f3913e847f95cb4f2f26b29b1116f44272c5954f9a9d6535d24407028884acbd6e7514dc899205f4837c092f0798db8e395e1a2d008c39e66a290089dc4d7e
-
Filesize
199B
MD596a75fd0633362e7aba29d8d458cc6bc
SHA1fcc9fab4629d38d314bea6611faf5d121996f8ed
SHA256d09bacc85ae5395daaa9e06aa4dd026a24812e7dba848fcceb7faadec55a936b
SHA5124ec4ad2d55c4c1189d9687260dc009807382ffdfee3eeba3fd383bda9fa4d704d6ea18691015926fb16be7b4e5b43b2492700867ca6bb1baf13e2fe52f05c2e3
-
Filesize
199B
MD54a1036bcb436cced079065e1d993a0f8
SHA13c2a0b9fb9e1b82f914a9c7f4797338dde30164a
SHA256867721d642b3ebdd12e2ce5e5c184d17789aaef83dc97883c4f91ebcc982a25c
SHA51234a97a2484742f0d2f12de07804bc76bbd3ac6114dbd25e8c4236a329b9f990faf67e9b7795fe307b5a80e810e44633bf6ee251eaa00b76b4078ea037a78d650
-
Filesize
199B
MD582ee29a1ee7f7090e7a8279276f7f5b8
SHA1658087607264a2804fe2369de92f4838e454060b
SHA256e7c14d0b36aab2fb56e0136882fe2f1b80a3fc75a6acc305112d3dd27fb394f7
SHA512de895065964dc286f5c220e0da0fda51af6c4328581785e8c18d2d08481eb15a992f0ccd29a0d41b6997c30de2be830f859304f38e663706a5003e56ce917dff
-
Filesize
199B
MD54b9dec432acf4a9ec707ea457a3d464d
SHA10b6a04a3479908e910f70c33702c9d9715f32db5
SHA256b1f22e530c846f9d7de5fc0badf79cc1e30b989ed77be0bbf3ad743731cdc2f1
SHA512c82b32b22cc9294d022c55371e458d50c4daf221a1ee39377f62196e50ef28182347181558a98764db089017c6459ce974ab8a2310cba2b621675155883b346e
-
Filesize
199B
MD51264a95dbae308a96c1eda906308e765
SHA183d1cbbd1b2439ceda61af822b68ee5bdb9ab4cf
SHA256d0f96fb9c0728c70f93c4d40245db37d10afbe83883d46b8d22b6813c8d980cb
SHA5120a14273900bff1cd797351f4702b9ab9dddc835d369e9a1e8caf5f02d8c1b4dce260cfd38099049b8c431cf05e8dc948a89df028546d5429b496fd2cfdf5d887
-
Filesize
199B
MD515d0ca8bc5695e714efd9d0a635c892a
SHA17419d83870716938b63a819076ea211ce8521456
SHA2563c1897ae873c78cc3519d4e7514d554a306beb6404cfab24be559991e2d569e5
SHA5123bdbd632586fd49a470a8b5c8fb50a2b4d7dcd333af4dda4d5f05e93f2e9553879e24382a57aad3f33b06f50618d3ae398cc10ac9cf0c4920ef109cbb7440ca7
-
Filesize
199B
MD57b287c867cb9d7f637eaa966a879fcda
SHA17546a43e49e9eb1c9b53da68c6e98d60b692a6b5
SHA256bc88dfb3a70df7c1a2d69b0204b8f03b50ace7bee008e0434b80b359d25e6b4c
SHA512f896e3639cee6f9d3ffc00a2adf9af3209f5d4331b856bc5ff560edda232bb436fe242da3de49f03cb5dcb090351138c9786c791ec9b23e31762d249b45bede1
-
Filesize
199B
MD5265ad064da7a3b5b40e060a06dbb6029
SHA187dcd9a870d8a97ec7d531f364f3f060dbe12b14
SHA256d49529adea6f7a9c4673b1b4ef82ecf4772a234d0f65113b8bd676c7f3bf8960
SHA5121a44f83327db3126d60eab09a67661292eadd095e07617b03ac9654790f2ac75c9c3d2d25972e44418e9dd4f6ad61c7cdb381a1789fe390d3e0526d67b5eaa7d
-
Filesize
199B
MD5ce5ad17d3d129d30055c2b8e1a3126ad
SHA1232977098ec9dbc2fd47df4fc725d9df37432f03
SHA25668babdc44ec9c4e89ed8d9af3c3bd5ed3b85f8a806a2ee0ec15b3c692464b42a
SHA512f5a4290ab92afcf14607d6cfa9ead993736f45978d9d26af55f3843294e32356b24ab3b02cd3d1f39c3ad05b52b1727b8b915d13072f3cbcf020cf02fcee69db
-
Filesize
199B
MD57b9e5daf36e689fd73185861f8cc1cde
SHA18723c4e801bd493e721cdfe234d4df9df81f34ce
SHA256f164cd615ed3a91b7de8fff16efcca2cfb1cc6e0c80fbe6decb081f904519077
SHA51252b085d20908da066a83f1153561c7ca189ea33cfebab9943fcb29c955cc9ef2a73f7444161d068a642151fe304dd5427c5c2e44131a22294463ef44d62a430e
-
Filesize
502KB
MD5bf1f011e9664823aeb1c386eeb9e5c90
SHA13a15112a330446b895811549a857d0d92763cf1a
SHA256412693c6a8fa7142d55bdca7f0473ba66582155399b49f7eacee55f4d78dfd7a
SHA512584dfe97edefc6c8f8d96a3589fbf84701846a16f6c71625772c3a56763bb51303c476c808f9e68c55899f5e61ee2a98f7805f54703b62838b8cc9b65715bb44
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB
-
Filesize
528KB