Analysis Overview
SHA256
d0397cc6f8f74d67be54ba27842dcf8ebf8cf5515b3ca63d373ef9b7087b14cd
Threat Level: Known bad
The file Ratlol.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Creates scheduled task(s)
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-09 02:35
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 02:35
Reported
2024-06-09 02:37
Platform
win10-20240404-en
Max time kernel
1s
Max time network
29s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ratlol.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3748 wrote to memory of 164 | N/A | C:\Users\Admin\AppData\Local\Temp\Ratlol.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3748 wrote to memory of 164 | N/A | C:\Users\Admin\AppData\Local\Temp\Ratlol.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3748 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Ratlol.exe | C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe |
| PID 3748 wrote to memory of 2400 | N/A | C:\Users\Admin\AppData\Local\Temp\Ratlol.exe | C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe |
| PID 2400 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2400 wrote to memory of 3616 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Ratlol.exe
"C:\Users\Admin\AppData\Local\Temp\Ratlol.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1bw2suixlcBL.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9B7DVKiyAKNS.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tHN9jb0rQTQz.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Balls" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe" /rl HIGHEST /f
Network
Files
memory/3748-0-0x00007FFFB6A63000-0x00007FFFB6A64000-memory.dmp
memory/3748-1-0x0000000000B60000-0x0000000000E84000-memory.dmp
memory/3748-2-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
| MD5 | 00d91ad6e1ab33673de0fa1fcc40b3d9 |
| SHA1 | 238265a76591f9ed06fdfdb3ae0414d72f5ee804 |
| SHA256 | d0397cc6f8f74d67be54ba27842dcf8ebf8cf5515b3ca63d373ef9b7087b14cd |
| SHA512 | 82a446bf9696467be5b51230dbd2c5c48e48e0c844f3e08e8a1fc5c094eb9cb63d1fd723fb8eda0992f8509eb8a5a1a71b9a9dd65549d7f7f0e0f4614feeb9e0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Ratlol.exe.log
| MD5 | d63ff49d7c92016feb39812e4db10419 |
| SHA1 | 2307d5e35ca9864ffefc93acf8573ea995ba189b |
| SHA256 | 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12 |
| SHA512 | 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a |
memory/3748-10-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
memory/2400-11-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
memory/2400-12-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
memory/2400-13-0x000000001BFE0000-0x000000001C030000-memory.dmp
memory/2400-14-0x000000001C0F0000-0x000000001C1A2000-memory.dmp
memory/2400-19-0x00007FFFB6A60000-0x00007FFFB744C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1bw2suixlcBL.bat
| MD5 | 3a8b1de46f2a49724372c5531ccbb575 |
| SHA1 | 5907dc43b6bfb900e60b00f518e60d5a9f707073 |
| SHA256 | 8d9aba7cb3007d0cd63dd6a11d529181bf6f4b62656d57ce42bc45bb74a60f70 |
| SHA512 | 531b2d20262d8f9630d64942caee123e55b3b3e33ce25625500ad7d07cbff6889ddd204aa9614f64afcaa68740da02c6d4994dc93abd28f0d96c2fc3b76221bc |
C:\Users\Admin\AppData\Local\Temp\9B7DVKiyAKNS.bat
| MD5 | 36ff718798703526854e76bc7c6a44de |
| SHA1 | 8a7df1db116584544566333fee09325b8f28682c |
| SHA256 | 1aab5f8c798e29db35da08dd4d61cb4dc2caa7d30e7357b3d9bcea61be34d2ff |
| SHA512 | fb1258e3d724d46b1f62b56f2d9d69726751291a9bcfd57e0e272981779be4d1d6ff3f5c9e73e3e3aadba3f9e1d90ba4ff2271f3e3e0e9cba464f025d60681fd |
C:\Users\Admin\AppData\Local\Temp\tHN9jb0rQTQz.bat
| MD5 | 3ec498e70c9e73b49cccfb1a189f7bf3 |
| SHA1 | 43a920311444201a6960b370b2e8a6facc7af38e |
| SHA256 | 8de0e94e7c20621d79f0cb84000710fe3920d900f324e679229f3a75fe459c0b |
| SHA512 | fcc7571ae80efe3086753cb3b1395c2d2ed932eb6a3741566acd48eaf64cbc525286e9ef23b63c805775bb1bfe65466471f76d2edb8ceb6aedfd3b21ee6634ff |
C:\Users\Admin\AppData\Roaming\SubDir\Ratlol.exe
| MD5 | 4d34fb2508c3cc5668544557f8f9b1c5 |
| SHA1 | cb49c9db36a443f7a63e84495662e6abb04f1f39 |
| SHA256 | f778fa96479a8e72de1408fe8863ee8563cea9bf7955f074714db0874c712c66 |
| SHA512 | 10fe73196a499ef3027894fddf2f9f2f85a4d3d2e1106b15e347cbdd0f8be1420bcda881d6caf3ca95512cef3ba9536b46409d7fc96d3a7bf6f4d6ad0c3d0acb |