Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    03-06-2024 13:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    feb24955d3504654b50393efdafde20d

  • SHA1

    3e43172200820307c71d2885a94d4f40efd5cda7

  • SHA256

    6f732f4a61ca68e185972687c1ecd6a2fed2b25bea11dd81bb9c5d8f0e471bce

  • SHA512

    1547189a9a14f4fe7313d2bf07218c52b88128ca66d704ce0cb1ad1f529af6c87192c2f2f639f00718ed21cab5b0ebb14416e24c9b77c129ae54026de8f9b1fd

  • SSDEEP

    49152:Uv0iiN2tPa2vpJPylxhhC25D/Wv1zZLljFuvJmYoGdk/4THHB72eh2NT:Uv/q2tPa2vpJPylxhhz5D/WNjFAU

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.104:4782

192.168.1.104:50133

127.0.0.1:6000

DESKTOP-9IMIHQU:49736

127.0.0.1:4782

127.0.07.1:50133

192.168.1.104:6000
Mutex

03bae1e9-f5dc-4e0e-94fb-62a44e846020

Attributes
  • encryption_key

    1BDF94B25EA282E8D3B48C8D6810CDDC133AFA4C

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:1692
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:2564
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\aM9045fcLdjb.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:2136
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • Runs ping.exe
            PID:2004
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1352
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
              5⤵
              • Creates scheduled task(s)
              PID:1944
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\oHjzPNObDg3i.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:536
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2600
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • Runs ping.exe
                  PID:1108
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1872
                  • C:\Windows\system32\schtasks.exe
                    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
                    7⤵
                    • Creates scheduled task(s)
                    PID:1148

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Persistence

      Scheduled Task/Job

      1
      T1053

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Remote System Discovery

      1
      T1018

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\aM9045fcLdjb.bat
        Filesize

        207B

        MD5

        947f39b2234f1d801c2f1d30e2a1ed5e

        SHA1

        378748f7503f84d36363fe3c9ca3041d161818ab

        SHA256

        233772c79f8b83a4b90d2d6e51b5d3b1183f38ecdcc7eac9029085ca7542bab5

        SHA512

        267a3a2df2bd015845c8e20b72dd96ceb94d90ce016ef7ea9b24874ae9cee170a252e84e370ccf88a6e8353c5bb1f06ddc091bd4176d8455c24a778e1cf8e600

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\oHjzPNObDg3i.bat
        Filesize

        207B

        MD5

        f4e32a20d919296d07420a6c5e32848e

        SHA1

        fc2e9e681fa9c49c3e6c6f8a11ce49346de6128a

        SHA256

        60f31b59df7b1f01c5c7800845e1efaddeb5c1b9b2ab39ac625bceadd3261bf5

        SHA512

        781aae9ab3a42e5b7e7b5c1dd95184d3d5305b85def850ffff7b4f41fb08bb1a9b7fe343f83419c189021bac4079ced2b36109d02bf6bf9804c17d7876d22e8f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        3.1MB

        MD5

        feb24955d3504654b50393efdafde20d

        SHA1

        3e43172200820307c71d2885a94d4f40efd5cda7

        SHA256

        6f732f4a61ca68e185972687c1ecd6a2fed2b25bea11dd81bb9c5d8f0e471bce

        SHA512

        1547189a9a14f4fe7313d2bf07218c52b88128ca66d704ce0cb1ad1f529af6c87192c2f2f639f00718ed21cab5b0ebb14416e24c9b77c129ae54026de8f9b1fd

        Download Submit
      • memory/2340-0-0x000007FEF5BA3000-0x000007FEF5BA4000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2340-1-0x0000000000120000-0x0000000000444000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2340-2-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2340-10-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2904-8-0x00000000012A0000-0x00000000015C4000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2904-9-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2904-11-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2904-12-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
        Filesize

        9.9MB

        Download
      • memory/2904-22-0x000007FEF5BA0000-0x000007FEF658C000-memory.dmp
        Filesize

        9.9MB

        Download