Overview

overview

10

Static

static

10

Silent-Skull.exe

windows10-1703-x64

10

Silent-Skull.exe

windows10-2004-x64

10

Silent-Skull.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    225s
  • max time network
    217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-06-2024 17:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Silent-Skull.exe

  • Size

    348KB

  • MD5

    8436d16727f4b911f5480809103baa87

  • SHA1

    50a1b81af0bf85af5a3ef841fe49746675313120

  • SHA256

    2dec7d06740585afafca969de80238be1d58bdb8172d45b71b47f3fe9fc9e220

  • SHA512

    ae668799e2caca582c437271e7ee51c5d679a64a7dec26e4a31909bf948d6c9f0d467a2d39b625af8471267431adeec70b89513100690c6937aae21e1b6c521d

  • SSDEEP

    3072:9FxkhjvK3tFGW8jrQ+G/3NFZLZICSAr0EXZtiNLBPp64PFvqv5bnux7E3MpdMGTE:9LL3HRsM+OFZL2HL7CRbu+8gYdfDIui

Score
10/10
quasarclientspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Client

C2

runderscore00-61208.portmap.host:61208

Mutex

QSR_MUTEX_q1SPcFNLEQ1FIcq9Po

Attributes
  • encryption_key

    qQYEXzkyhZKvRSzcxALx

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Silent-Skull.exe
    "C:\Users\Admin\AppData\Local\Temp\Silent-Skull.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4648
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rXS4lbpNXJTY.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:3632
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          3⤵
          • Runs ping.exe
          PID:2940

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\rXS4lbpNXJTY.bat
      Filesize

      264B

      MD5

      810bc9cece53536adb41e4a3b5475343

      SHA1

      cee6b8accf5c5aa747ab0b8a9a2531659a2c968c

      SHA256

      76d2ba4aab10907f8ed2316aaa51f8e829df9e37bd5d58c099ea44e197571390

      SHA512

      de386aafa0d3dad0678faafc839655e0a1dbc5d03a5d4eae10b0b414dfa6eefec38943dc43fe78cb3449cf16b6f5617ea3b9b07ef01bb1e8e0d3442886421bff

      Download Submit

    • memory/4648-6-0x0000000005C00000-0x0000000005C12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4648-2-0x00000000053F0000-0x0000000005994000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4648-3-0x0000000004EE0000-0x0000000004F72000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4648-4-0x0000000074BC0000-0x0000000075370000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4648-5-0x0000000004FF0000-0x0000000005056000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4648-0-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4648-7-0x0000000006140000-0x000000000617C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4648-8-0x00000000062E0000-0x00000000062EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4648-9-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4648-10-0x0000000074BC0000-0x0000000075370000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4648-1-0x0000000000470000-0x00000000004CE000-memory.dmp

      Filesize

      376KB

      Download

    • memory/4648-16-0x0000000074BC0000-0x0000000075370000-memory.dmp

      Filesize

      7.7MB

      Download