Overview

overview

10

Static

static

10

getrat.exe

windows10-2004-x64

10

getrat.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    191s
  • max time network
    214s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 12:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    getrat.exe

  • Size

    409KB

  • MD5

    18b1039a3013abc959410add72aab2d2

  • SHA1

    23fc4f25ea5bcb635254b8b6ef6cb79d05f4372d

  • SHA256

    74072cb82f64ed34239c3841331663624e148cf50d7dc9cf340c71ebff24e6fd

  • SHA512

    924791c7854c522e772e531dfa9fbf44be6f8da3532a82135138d6b5b803f190e680988436b55b64f29ca6cf2eb0af397769d299ce00f48200ea66b1c04964df

  • SSDEEP

    6144:jMs9p1kREG60olIZHeDzCNz3IqR21C7+bXakEA8b/jt/vIBKPrx5:LpiREGJ3ZHeDzC7RHiSXt/vIB0rv

Score
10/10
quasarseroxen | v3.1.5 |persistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen | v3.1.5 |

C2

adult-mai.gl.at.ply.gg:51745

Mutex

$Sxr-jy6vh8CtEJL5ceZuIb

Attributes
  • encryption_key

    1TbGeXOsJEBH7iT0wKPt

  • install_name

    $sxr-powershell.exe

  • log_directory

    $sxr-Logs

  • reconnect_delay

    3000

  • startup_key

    lol

  • subdirectory

    $sxr-seroxen2

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 4 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\getrat.exe
    "C:\Users\Admin\AppData\Local\Temp\getrat.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3544
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "lol" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\getrat.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:5368
    • C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe
      "C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3272
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "lol" /sc ONLOGON /tr "C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:5976
    • C:\Windows\SysWOW64\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77getrat.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\getrat.exe'" /sc onlogon /rl HIGHEST
      2⤵
      • Creates scheduled task(s)
      PID:4360
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:948
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      1⤵
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3124
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:5100
      • C:\Users\Admin\AppData\Local\Temp\getrat.exe
        "C:\Users\Admin\AppData\Local\Temp\getrat.exe"
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4304
        • C:\Windows\SysWOW64\SCHTASKS.exe
          "SCHTASKS.exe" /create /tn "$77getrat.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\getrat.exe'" /sc onlogon /rl HIGHEST
          2⤵
          • Creates scheduled task(s)
          PID:6124

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      1
      T1012

      Peripheral Device Discovery

      1
      T1120

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\getrat.exe.log
        Filesize

        1KB

        MD5

        10eab9c2684febb5327b6976f2047587

        SHA1

        a12ed54146a7f5c4c580416aecb899549712449e

        SHA256

        f49dbd55029bfbc15134f7c6a4f967d6c39142c63f2e8f1f8c78fab108a2c928

        SHA512

        7e5fd90fffae723bd0c662a90e0730b507805f072771ee673d1d8c262dbf60c8a03ba5fe088f699a97c2e886380de158b2ccd59ee62e3d012dd6dd14ea9d0e50

        Download Submit
      • C:\Windows\SysWOW64\$sxr-seroxen2\$sxr-powershell.exe
        Filesize

        409KB

        MD5

        18b1039a3013abc959410add72aab2d2

        SHA1

        23fc4f25ea5bcb635254b8b6ef6cb79d05f4372d

        SHA256

        74072cb82f64ed34239c3841331663624e148cf50d7dc9cf340c71ebff24e6fd

        SHA512

        924791c7854c522e772e531dfa9fbf44be6f8da3532a82135138d6b5b803f190e680988436b55b64f29ca6cf2eb0af397769d299ce00f48200ea66b1c04964df

        Download Submit
      • memory/3124-35-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-29-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-31-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-32-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-33-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-34-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-25-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-30-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-23-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3124-24-0x0000018AA5CF0000-0x0000018AA5CF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3272-15-0x0000000074DA0000-0x0000000075550000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3272-19-0x0000000006B20000-0x0000000006B2A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/3272-20-0x0000000074DA0000-0x0000000075550000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3272-14-0x0000000074DA0000-0x0000000075550000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3544-6-0x0000000005F20000-0x0000000005F32000-memory.dmp
        Filesize

        72KB

        Download
      • memory/3544-17-0x0000000074DA0000-0x0000000075550000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3544-9-0x0000000074DAE000-0x0000000074DAF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3544-7-0x0000000006360000-0x000000000639C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/3544-0-0x0000000074DAE000-0x0000000074DAF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3544-5-0x0000000005320000-0x0000000005386000-memory.dmp
        Filesize

        408KB

        Download
      • memory/3544-4-0x0000000074DA0000-0x0000000075550000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/3544-3-0x0000000004F10000-0x0000000004FA2000-memory.dmp
        Filesize

        584KB

        Download
      • memory/3544-2-0x0000000005410000-0x00000000059B4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/3544-1-0x0000000000490000-0x00000000004FC000-memory.dmp
        Filesize

        432KB

        Download