Analysis
-
max time kernel
277s -
max time network
294s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
-
submitted
02-06-2024 18:08
General
-
Target
Client-built.exe
-
Size
348KB
-
MD5
3f99cb13866f63a572bfc49f56e49a21
-
SHA1
e968e6c46296389f04660d6811298025a5eef76f
-
SHA256
45259ac5a1fd635f5b2a41492f4156cc8476afd8e8764a9d61d3158599a75fd8
-
SHA512
042bca3a560803e9e3a1704a92278bbb63ffa3c7b7217eb7602a3c0a5b14d4ad71adb92423e937276df4f1e0a31c6c1ab51ef922e2c3d6ded9cded185edbffb2
-
SSDEEP
6144:ecEHwNHJsa2x0Kx4IKhIBbIVhpXZVn/DOxpxnKACXsK:nxpsalT5XVhpXHrOxrnLcsK
Malware Config
Extracted
quasar
1.3.0.0
Client
runderscore00-61208.portmap.host:61208
QSR_MUTEX_UyCo16EyzQLUNZiVH0
-
encryption_key
AaATXyVYZ9AKtrWxhyCz
-
install_name
Client.exe
-
log_directory
Keylogs
-
reconnect_delay
3000
-
startup_key
Powershell
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Powershell" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exeFilesize
348KB
MD53f99cb13866f63a572bfc49f56e49a21
SHA1e968e6c46296389f04660d6811298025a5eef76f
SHA25645259ac5a1fd635f5b2a41492f4156cc8476afd8e8764a9d61d3158599a75fd8
SHA512042bca3a560803e9e3a1704a92278bbb63ffa3c7b7217eb7602a3c0a5b14d4ad71adb92423e937276df4f1e0a31c6c1ab51ef922e2c3d6ded9cded185edbffb2
-
memory/2228-19-0x0000000074920000-0x00000000750D1000-memory.dmpFilesize
7.7MB
-
memory/2228-18-0x00000000065F0000-0x00000000065FA000-memory.dmpFilesize
40KB
-
memory/2228-16-0x0000000074920000-0x00000000750D1000-memory.dmpFilesize
7.7MB
-
memory/2228-14-0x0000000074920000-0x00000000750D1000-memory.dmpFilesize
7.7MB
-
memory/4500-3-0x0000000005420000-0x00000000054B2000-memory.dmpFilesize
584KB
-
memory/4500-6-0x00000000060C0000-0x00000000060D2000-memory.dmpFilesize
72KB
-
memory/4500-7-0x00000000065F0000-0x000000000662C000-memory.dmpFilesize
240KB
-
memory/4500-5-0x00000000054C0000-0x0000000005526000-memory.dmpFilesize
408KB
-
memory/4500-4-0x0000000074920000-0x00000000750D1000-memory.dmpFilesize
7.7MB
-
memory/4500-15-0x0000000074920000-0x00000000750D1000-memory.dmpFilesize
7.7MB
-
memory/4500-0-0x000000007492E000-0x000000007492F000-memory.dmpFilesize
4KB
-
memory/4500-2-0x00000000059D0000-0x0000000005F76000-memory.dmpFilesize
5.6MB
-
memory/4500-1-0x0000000000880000-0x00000000008DE000-memory.dmpFilesize
376KB