Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
-
submitted
29-05-2024 14:51
General
-
Target
baritone.exe
-
Size
502KB
-
MD5
bf1f011e9664823aeb1c386eeb9e5c90
-
SHA1
3a15112a330446b895811549a857d0d92763cf1a
-
SHA256
412693c6a8fa7142d55bdca7f0473ba66582155399b49f7eacee55f4d78dfd7a
-
SHA512
584dfe97edefc6c8f8d96a3589fbf84701846a16f6c71625772c3a56763bb51303c476c808f9e68c55899f5e61ee2a98f7805f54703b62838b8cc9b65715bb44
-
SSDEEP
6144:NTEgdc0YxXAGbgiIN2RSBDuZnqUBlh/eKTFwQHocEAAb8F98IHsyzMcTR3u:NTEgdfYtbgvuIA5FwQj+HyzMcdu
Malware Config
Extracted
quasar
1.4.0
infectado
elpepemanca.ddns.net:3440
192.168.0.14:3440
2d163b2b-eaf2-4077-9c9f-de0b77680d93
-
encryption_key
82A217D42F0FCA4A09032979DC25A2A7FD7E9698
-
install_name
explorer.exe
-
log_directory
crash_report
-
reconnect_delay
3000
-
startup_key
explorer.exe
-
subdirectory
windows
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 15 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 15 IoCs
-
Drops file in System32 directory 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 15 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 20 IoCs
-
Suspicious use of FindShellTrayWindow 39 IoCs
-
Suspicious use of SendNotifyMessage 39 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\baritone.exe"C:\Users\Admin\AppData\Local\Temp\baritone.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6xeP5hPGRy85.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pgGUtJRnKk5C.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AJPqXaPLQ1gd.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAEZShmWVYtV.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oM18XswOMLLm.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\om3hQvhwnDud.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BW9P5S1AiNzG.bat" "15⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GexkVIhK3xXY.bat" "17⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ug1YiczenXvZ.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UfcaJxd0a9oD.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swBJ9t4NFXIR.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sotTpRJzBPzm.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\obUrJqUq3PuM.bat" "27⤵
-
C:\Windows\system32\chcp.comchcp 6500128⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost28⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\a0GWgT5i7hMZ.bat" "29⤵
-
C:\Windows\system32\chcp.comchcp 6500130⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost30⤵
- Runs ping.exe
-
C:\Windows\system32\windows\explorer.exe"C:\Windows\system32\windows\explorer.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nGH0A02DbtAN.bat" "31⤵
-
C:\Windows\system32\chcp.comchcp 6500132⤵
-
C:\Windows\system32\PING.EXEping -n 10 localhost32⤵
- Runs ping.exe
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
199B
MD5e640829734ffd9bb0f292c98a26f232e
SHA16ba46896b8a27342b60e26b85c8f49ded1a11b6a
SHA256758723483165d598372bf25fe06ce17d12a95d909eea53b2a92818f4af9e6e5e
SHA5124be09b04835f6b198eca4a51ca6928367d23ce1d470b1cbb30f2908dade7c4249a4d611b5874ab0912de8102590b6a4505a4c6640064f14d4a6f86ceb874212e
-
Filesize
199B
MD58db52e238e6218f09582d72cf1ead70d
SHA1022a91d87a1d6ca747bb3d8e2754cc7e7207a855
SHA25604b908525f553dc7bc4640fcb2839eaae417f683e520d1fc95c140a43acf4f34
SHA512ce6a77c62e6de7aee0ae79d33d0e48d004442f3502672a82c1c03df4f1ecdbe28a33c32ba3af841e2029a5583831c3f62ae29e4129121fccee0b735cf5ad6048
-
Filesize
199B
MD5378d314b67d41fb4fb67ab15edfbae82
SHA159c29ae9d780d12dde141c7bf481aafbac171645
SHA256bf6f0d44d70fbc9164499d1a342dd27c83296b4b4e9455a176c584500992cea7
SHA512da502d6f98449cf9f25a163d93e3fee09e094c89bbe6fbe5afba4fb40594e3592af5bf1063a44bf774e406134c8ac031914a4e3e099ee209c9ed4034d5023486
-
Filesize
199B
MD533241f6dfe1c7f2f0eef27b0021eb6d0
SHA1611221f589939129dee13f99917cf1b90156fd47
SHA256be91d0076b6b9391c3b11eee02500947d4882951f9157e2b206316606cc264b1
SHA51252b649ab47b52509181c3d62a42ad9045e47279de787c1ce20e779beac45168a3a812dfb15c8a8dc400ed80bb7704e31e116d8e1ae36855e37b67ffe4f0f8a08
-
Filesize
199B
MD54a959d594d812f1a7b7fe5d288ccf268
SHA13d45358cd0351caa5e5500d1dda094ce263b5271
SHA25678188abc546f0f3ba27fefeb22330cf174bd2a5e42f1810cae37ba8b8daf7cf7
SHA5127407aae15ebc6846e3075098752c485e4c32e1751f3b940c17d2b27107fd60e4ed30508f0969b4d932d2dd7ba09e6dd261856ba99343d60822b4c6fe8fd6644d
-
Filesize
199B
MD533951cb4f940261071a727cdbcd2f58c
SHA11adb641d8170b09fee9a02cedab4c8a5d6cdae25
SHA256f6f1df11af6280a0c5881702ee254495930aa03e074dfc7dedf039e75baf9af6
SHA5120bb453fa0f74283c68ca1e5604b250daaf7a565e57fe571c40a7b2df96751ebfa553e90a3dc964b4ea01e8954e271ad60d0681d686b234cb1ddb3c97c2fdfda9
-
Filesize
199B
MD5502e7adc7931ee7f5ce89f56bded3133
SHA17c9aaa1459e04b2d4e39b3035ee3ff7b5bee35fe
SHA2563a5aa178a0920d1fc6146312730a616c3699551ee4aae0da99545afb3edb4b02
SHA5124b8d6b8f7c9f9c95c365ba16cf01012e846d4017c8eca75652c74921f7b6fe4f97c4cd1bd892c42ea520ac210396fb7c1be424ccca664ffde38a99292f898e8b
-
Filesize
199B
MD540475359a453ea0e5365570daf9a4864
SHA159118bc6e73fc8e480f541cd02fec840195d8496
SHA256dcf5486eefb7fef3498801f3faf81581d321f7f0341d71a9b3b69d5d7181c471
SHA512bddc2581843be4e930b34b0d2a1aea4cda1bed0d28ef4f7046293c27a6e0a6b6c13f3d5de84f4e497c6bf6e0c408d9a4ec271a6a3960fb83f5db39c7d03e3e32
-
Filesize
199B
MD5c41318e697f601a5c8f09af9c1a7a138
SHA13f0d5deba65f3bed3c38e3e95210e4fcc021fc4a
SHA2562f4afc6e2ddd780752383f166f8880453e3f4c19a4c9b3202b2ea8293cb9575c
SHA512c2718d177cce1427ceb9c093b2f17ec30d0b90e4ffe34c41f74e8ed549632a7f1a4d2104e64eab1636248048fb9ef95956d68c3a522ce3df0b9f4c4e85287e50
-
Filesize
199B
MD548cee536ff89f3e2aef238d5e4626791
SHA1ad5a4eec0fd61e314c5c694678519a028726e513
SHA256aa4cd650fcea3a486c517d7587fc39742b10785426a72f06e24092b74f4ef346
SHA512b94bd4781747ea344ff30ab5f7b49060c73268b86aab6c50bcff6d318f20a68444aa09906e98d8bf62041f99133d182d0f70795969918cf12395225870a2a14b
-
Filesize
199B
MD5e5602e39c8ea5d37d7f90fefa52fdac2
SHA1340001fdc7dc51592d0df242eb13c4f1046c24a1
SHA25630d7f7318eb9b10a5c5f1611989a27778f13550cb1a2e612e1413ebeb8f1e678
SHA5128fd67c97b87500a7c7a79e1f99eb16aeb48b49997f275a3f0ca8ee26798bd3b5b430b6d010f9ed1c4417ed2724a270ec1b6e671860bd5fb14b990d051b671dac
-
Filesize
199B
MD5208060fbf05e5c5b4eb9568dfe887e00
SHA152cd760bc1772f26da7bdf0c2ce015cd0c460605
SHA256b31e86331adf48ed8175524acf3d43df84f807868eece25ab8bc53dbcca7c773
SHA512aee1a6a1a3f8b18d6dd2b6729cb04b30111d43f825b5c340fbe87aa1e15e81457f5fed36fc489ff7f9c8e5ded4c46472a154a7499fa713fc574514bf11d82e14
-
Filesize
199B
MD58b0948b5ea703935955cce0ce8868647
SHA100da9bc023d5f0556957fe3858db7d57044a483f
SHA25671effa7e658fd4557bb30bc2142b0b94277816b877c68fdbecd1d015b564edd6
SHA51254e818d9f28a6993759d0ab143386627ac76a0bf64e73d4966b368ba93b632c0ab11da0b187fb7134384aeb737b6b124a01bc4e46fb7ec776e6abce45b433929
-
Filesize
199B
MD568e5c5372a5880718a7180096d1efc1a
SHA10490ae10071d4e2f8023fdbdec5b1ac62d1d8503
SHA25686acf996b18f940eb8017a2121d095a0c791f72df8ffb6735254c20f34fbc2c5
SHA512f36913fe51f96ab324a3b567ef40459a1b907fbc0cbc576cba94d075d8b051c06d0ec8f267b24c61ee4cdf24a00324b60efd6c2717a692982e5a3b1a46104177
-
Filesize
502KB
MD5bf1f011e9664823aeb1c386eeb9e5c90
SHA13a15112a330446b895811549a857d0d92763cf1a
SHA256412693c6a8fa7142d55bdca7f0473ba66582155399b49f7eacee55f4d78dfd7a
SHA512584dfe97edefc6c8f8d96a3589fbf84701846a16f6c71625772c3a56763bb51303c476c808f9e68c55899f5e61ee2a98f7805f54703b62838b8cc9b65715bb44
-
Filesize
528KB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB