Analysis
-
max time kernel
225s -
max time network
255s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
-
submitted
03-06-2024 17:05
General
-
Target
Silent-Skull.exe
-
Size
348KB
-
MD5
8436d16727f4b911f5480809103baa87
-
SHA1
50a1b81af0bf85af5a3ef841fe49746675313120
-
SHA256
2dec7d06740585afafca969de80238be1d58bdb8172d45b71b47f3fe9fc9e220
-
SHA512
ae668799e2caca582c437271e7ee51c5d679a64a7dec26e4a31909bf948d6c9f0d467a2d39b625af8471267431adeec70b89513100690c6937aae21e1b6c521d
-
SSDEEP
3072:9FxkhjvK3tFGW8jrQ+G/3NFZLZICSAr0EXZtiNLBPp64PFvqv5bnux7E3MpdMGTE:9LL3HRsM+OFZL2HL7CRbu+8gYdfDIui
Malware Config
Extracted
quasar
1.3.0.0
Client
runderscore00-61208.portmap.host:61208
QSR_MUTEX_q1SPcFNLEQ1FIcq9Po
-
encryption_key
qQYEXzkyhZKvRSzcxALx
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Silent-Skull.exe"C:\Users\Admin\AppData\Local\Temp\Silent-Skull.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3AmYghhp9oRd.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3AmYghhp9oRd.batFilesize
264B
MD549f4f48558134679737faed107d530ab
SHA10d6693d186ccba268493750232f74a785fcdfdc8
SHA2567251efdbdc9a894ba9a6ac7fd51c86e965d135e56ef24b597e4afc8bd2524580
SHA5123063652ca667ba0bdd799e3a0e43802eea09c55b333e1c6133c652073ae6e688e2bbddda18f66e1748cf74f2e1a7875c3bdad4fe0b66035164f8cf15d98c2efa
-
memory/1680-6-0x0000000005A00000-0x0000000005A12000-memory.dmpFilesize
72KB
-
memory/1680-2-0x00000000052E0000-0x00000000057DE000-memory.dmpFilesize
5.0MB
-
memory/1680-3-0x0000000004E80000-0x0000000004F12000-memory.dmpFilesize
584KB
-
memory/1680-4-0x0000000073910000-0x0000000073FFE000-memory.dmpFilesize
6.9MB
-
memory/1680-5-0x0000000004DE0000-0x0000000004E46000-memory.dmpFilesize
408KB
-
memory/1680-0-0x000000007391E000-0x000000007391F000-memory.dmpFilesize
4KB
-
memory/1680-7-0x0000000005DF0000-0x0000000005E2E000-memory.dmpFilesize
248KB
-
memory/1680-8-0x00000000060A0000-0x00000000060AA000-memory.dmpFilesize
40KB
-
memory/1680-9-0x000000007391E000-0x000000007391F000-memory.dmpFilesize
4KB
-
memory/1680-10-0x0000000073910000-0x0000000073FFE000-memory.dmpFilesize
6.9MB
-
memory/1680-1-0x00000000004D0000-0x000000000052E000-memory.dmpFilesize
376KB
-
memory/1680-16-0x0000000073910000-0x0000000073FFE000-memory.dmpFilesize
6.9MB