Analysis Overview
SHA256
956866f40e28cef19324cb165382d5cd5aee0b67c0cb9dd4a39f5bddc6ac56c4
Threat Level: Known bad
The file uni.zip was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Executes dropped EXE
Adds Run key to start application
Looks up external IP address via web service
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-10 15:30
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (17) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2400-0-0x0000000073BFE000-0x0000000073BFF000-memory.dmp
memory/2400-1-0x0000000000ED0000-0x0000000000F3C000-memory.dmp
memory/2400-2-0x0000000005BE0000-0x00000000060DE000-memory.dmp
memory/2400-3-0x00000000057B0000-0x0000000005842000-memory.dmp
memory/2400-4-0x0000000073BF0000-0x00000000742DE000-memory.dmp
memory/2400-5-0x00000000058B0000-0x0000000005916000-memory.dmp
memory/2400-6-0x0000000006400000-0x0000000006412000-memory.dmp
memory/2400-7-0x00000000067F0000-0x000000000682E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1724-13-0x0000000073BF0000-0x00000000742DE000-memory.dmp
memory/1724-14-0x0000000073BF0000-0x00000000742DE000-memory.dmp
memory/2400-16-0x0000000073BF0000-0x00000000742DE000-memory.dmp
memory/1724-18-0x0000000006CD0000-0x0000000006CDA000-memory.dmp
memory/1724-19-0x0000000073BF0000-0x00000000742DE000-memory.dmp
memory/1724-20-0x0000000073BF0000-0x00000000742DE000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
241s
Max time network
304s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Windows\CurrentVersion\Run\SeroXen = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\uni\\Uni - Copy (19) - Copy - Copy - Copy.exe\"" | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy - Copy.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (19) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2512-0-0x000000007375E000-0x000000007375F000-memory.dmp
memory/2512-1-0x0000000000C20000-0x0000000000C8C000-memory.dmp
memory/2512-2-0x0000000005A80000-0x0000000005F7E000-memory.dmp
memory/2512-3-0x0000000005580000-0x0000000005612000-memory.dmp
memory/2512-4-0x0000000073750000-0x0000000073E3E000-memory.dmp
memory/2512-5-0x0000000005500000-0x0000000005566000-memory.dmp
memory/2512-6-0x0000000005A50000-0x0000000005A62000-memory.dmp
memory/2512-7-0x0000000006650000-0x000000000668E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4336-13-0x0000000073750000-0x0000000073E3E000-memory.dmp
memory/4336-14-0x0000000073750000-0x0000000073E3E000-memory.dmp
memory/2512-16-0x0000000073750000-0x0000000073E3E000-memory.dmp
memory/4336-18-0x0000000006450000-0x000000000645A000-memory.dmp
memory/4336-19-0x0000000073750000-0x0000000073E3E000-memory.dmp
memory/4336-20-0x0000000073750000-0x0000000073E3E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4440-0-0x000000007402E000-0x000000007402F000-memory.dmp
memory/4440-1-0x00000000002E0000-0x000000000034C000-memory.dmp
memory/4440-2-0x0000000005060000-0x000000000555E000-memory.dmp
memory/4440-3-0x0000000004C00000-0x0000000004C92000-memory.dmp
memory/4440-4-0x0000000074020000-0x000000007470E000-memory.dmp
memory/4440-5-0x0000000004CA0000-0x0000000004D06000-memory.dmp
memory/4440-6-0x0000000005810000-0x0000000005822000-memory.dmp
memory/4440-7-0x0000000005C00000-0x0000000005C3E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/200-13-0x0000000074020000-0x000000007470E000-memory.dmp
memory/200-14-0x0000000074020000-0x000000007470E000-memory.dmp
memory/4440-16-0x0000000074020000-0x000000007470E000-memory.dmp
memory/200-18-0x0000000006060000-0x000000000606A000-memory.dmp
memory/200-19-0x0000000074020000-0x000000007470E000-memory.dmp
memory/200-20-0x0000000074020000-0x000000007470E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
254s
Max time network
305s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1544-0-0x00007FFF20A40000-0x00007FFF20C1B000-memory.dmp
memory/1544-1-0x0000000000C80000-0x0000000000CEC000-memory.dmp
memory/1544-2-0x0000000005A50000-0x0000000005F4E000-memory.dmp
memory/1544-3-0x00000000055F0000-0x0000000005682000-memory.dmp
memory/1544-4-0x0000000005690000-0x00000000056F6000-memory.dmp
memory/1544-5-0x00000000061B0000-0x00000000061C2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3532-11-0x00007FFF20A40000-0x00007FFF20C1B000-memory.dmp
memory/3532-13-0x0000000005D90000-0x0000000005DCE000-memory.dmp
memory/3532-15-0x0000000006340000-0x000000000634A000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
246s
Max time network
299s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3892-0-0x000000007321E000-0x000000007321F000-memory.dmp
memory/3892-1-0x0000000000B60000-0x0000000000BCC000-memory.dmp
memory/3892-2-0x00000000058E0000-0x0000000005DDE000-memory.dmp
memory/3892-3-0x0000000005480000-0x0000000005512000-memory.dmp
memory/3892-4-0x0000000073210000-0x00000000738FE000-memory.dmp
memory/3892-5-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/3892-6-0x0000000005890000-0x00000000058A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/220-12-0x0000000073210000-0x00000000738FE000-memory.dmp
memory/220-13-0x0000000073210000-0x00000000738FE000-memory.dmp
memory/3892-15-0x0000000073210000-0x00000000738FE000-memory.dmp
memory/220-16-0x00000000063E0000-0x000000000641E000-memory.dmp
memory/220-18-0x00000000069A0000-0x00000000069AA000-memory.dmp
memory/220-19-0x0000000073210000-0x00000000738FE000-memory.dmp
memory/220-20-0x0000000073210000-0x00000000738FE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
235s
Max time network
291s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1536-0-0x0000000073CBE000-0x0000000073CBF000-memory.dmp
memory/1536-1-0x0000000000D30000-0x0000000000D9C000-memory.dmp
memory/1536-2-0x0000000005B00000-0x0000000005FFE000-memory.dmp
memory/1536-3-0x0000000005700000-0x0000000005792000-memory.dmp
memory/1536-4-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/1536-5-0x0000000005600000-0x0000000005666000-memory.dmp
memory/1536-6-0x0000000006260000-0x0000000006272000-memory.dmp
memory/1536-7-0x0000000006650000-0x000000000668E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2400-13-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2400-14-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/1536-16-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2400-18-0x0000000006AB0000-0x0000000006ABA000-memory.dmp
memory/2400-19-0x0000000073CB0000-0x000000007439E000-memory.dmp
memory/2400-20-0x0000000073CB0000-0x000000007439E000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
255s
Max time network
306s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 196.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2916-0-0x0000000073ACE000-0x0000000073ACF000-memory.dmp
memory/2916-1-0x00000000003E0000-0x000000000044C000-memory.dmp
memory/2916-2-0x0000000005250000-0x000000000574E000-memory.dmp
memory/2916-3-0x0000000004D50000-0x0000000004DE2000-memory.dmp
memory/2916-4-0x0000000073AC0000-0x00000000741AE000-memory.dmp
memory/2916-5-0x0000000004DF0000-0x0000000004E56000-memory.dmp
memory/2916-6-0x0000000005210000-0x0000000005222000-memory.dmp
memory/2916-7-0x0000000005D00000-0x0000000005D3E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/2720-13-0x0000000073AC0000-0x00000000741AE000-memory.dmp
memory/2720-14-0x0000000073AC0000-0x00000000741AE000-memory.dmp
memory/2916-16-0x0000000073AC0000-0x00000000741AE000-memory.dmp
memory/2720-18-0x0000000006300000-0x000000000630A000-memory.dmp
memory/2720-19-0x0000000073AC0000-0x00000000741AE000-memory.dmp
memory/2720-20-0x0000000073AC0000-0x00000000741AE000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
233s
Max time network
291s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2924-0-0x000000007373E000-0x000000007373F000-memory.dmp
memory/2924-1-0x00000000006D0000-0x000000000073C000-memory.dmp
memory/2924-2-0x00000000054A0000-0x000000000599E000-memory.dmp
memory/2924-3-0x00000000050E0000-0x0000000005172000-memory.dmp
memory/2924-4-0x0000000073730000-0x0000000073E1E000-memory.dmp
memory/2924-5-0x0000000004FA0000-0x0000000005006000-memory.dmp
memory/2924-6-0x0000000005C00000-0x0000000005C12000-memory.dmp
memory/2924-7-0x0000000005FF0000-0x000000000602E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3480-13-0x0000000073730000-0x0000000073E1E000-memory.dmp
memory/3480-14-0x0000000073730000-0x0000000073E1E000-memory.dmp
memory/2924-16-0x0000000073730000-0x0000000073E1E000-memory.dmp
memory/3480-18-0x0000000006E30000-0x0000000006E3A000-memory.dmp
memory/3480-19-0x0000000073730000-0x0000000073E1E000-memory.dmp
memory/3480-20-0x0000000073730000-0x0000000073E1E000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1260-0-0x00000000732CE000-0x00000000732CF000-memory.dmp
memory/1260-1-0x0000000000720000-0x000000000078C000-memory.dmp
memory/1260-2-0x0000000005450000-0x000000000594E000-memory.dmp
memory/1260-3-0x0000000005050000-0x00000000050E2000-memory.dmp
memory/1260-4-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/1260-5-0x00000000050F0000-0x0000000005156000-memory.dmp
memory/1260-6-0x0000000005D90000-0x0000000005DA2000-memory.dmp
memory/1260-7-0x0000000006180000-0x00000000061BE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4012-13-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/4012-14-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/1260-16-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/4012-18-0x0000000006020000-0x000000000602A000-memory.dmp
memory/4012-19-0x00000000732C0000-0x00000000739AE000-memory.dmp
memory/4012-20-0x00000000732C0000-0x00000000739AE000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
292s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (18) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/764-0-0x00000000732AE000-0x00000000732AF000-memory.dmp
memory/764-1-0x0000000000C70000-0x0000000000CDC000-memory.dmp
memory/764-2-0x0000000005AA0000-0x0000000005F9E000-memory.dmp
memory/764-3-0x00000000055A0000-0x0000000005632000-memory.dmp
memory/764-4-0x00000000732A0000-0x000000007398E000-memory.dmp
memory/764-5-0x0000000005640000-0x00000000056A6000-memory.dmp
memory/764-6-0x00000000062E0000-0x00000000062F2000-memory.dmp
memory/764-7-0x00000000066D0000-0x000000000670E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3804-13-0x00000000732A0000-0x000000007398E000-memory.dmp
memory/3804-14-0x00000000732A0000-0x000000007398E000-memory.dmp
memory/764-16-0x00000000732A0000-0x000000007398E000-memory.dmp
memory/3804-18-0x0000000006B60000-0x0000000006B6A000-memory.dmp
memory/3804-19-0x00000000732A0000-0x000000007398E000-memory.dmp
memory/3804-20-0x00000000732A0000-0x000000007398E000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
253s
Max time network
288s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (2) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4116-0-0x00000000731EE000-0x00000000731EF000-memory.dmp
memory/4116-1-0x0000000000010000-0x000000000007C000-memory.dmp
memory/4116-2-0x0000000004E20000-0x000000000531E000-memory.dmp
memory/4116-3-0x00000000049C0000-0x0000000004A52000-memory.dmp
memory/4116-4-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/4116-5-0x0000000004920000-0x0000000004986000-memory.dmp
memory/4116-6-0x0000000005560000-0x0000000005572000-memory.dmp
memory/4116-7-0x0000000005950000-0x000000000598E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4784-13-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/4784-14-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/4116-16-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/4784-18-0x0000000006EB0000-0x0000000006EBA000-memory.dmp
memory/4784-19-0x00000000731E0000-0x00000000738CE000-memory.dmp
memory/4784-20-0x00000000731E0000-0x00000000738CE000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
233s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/908-0-0x0000000073B1E000-0x0000000073B1F000-memory.dmp
memory/908-1-0x00000000004B0000-0x000000000051C000-memory.dmp
memory/908-2-0x00000000051D0000-0x00000000056CE000-memory.dmp
memory/908-3-0x0000000004DB0000-0x0000000004E42000-memory.dmp
memory/908-4-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/908-5-0x0000000004E50000-0x0000000004EB6000-memory.dmp
memory/908-6-0x0000000005B30000-0x0000000005B42000-memory.dmp
memory/908-7-0x0000000005F20000-0x0000000005F5E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4980-13-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4980-14-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/908-16-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4980-18-0x00000000068B0000-0x00000000068BA000-memory.dmp
memory/4980-19-0x0000000073B10000-0x00000000741FE000-memory.dmp
memory/4980-20-0x0000000073B10000-0x00000000741FE000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
242s
Max time network
298s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (18) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4904-0-0x00000000732BE000-0x00000000732BF000-memory.dmp
memory/4904-1-0x0000000000A40000-0x0000000000AAC000-memory.dmp
memory/4904-2-0x0000000005840000-0x0000000005D3E000-memory.dmp
memory/4904-3-0x00000000053E0000-0x0000000005472000-memory.dmp
memory/4904-4-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/4904-5-0x0000000005340000-0x00000000053A6000-memory.dmp
memory/4904-6-0x0000000005F80000-0x0000000005F92000-memory.dmp
memory/4904-7-0x0000000006370000-0x00000000063AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3876-13-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/3876-14-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/4904-16-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/3876-18-0x00000000060E0000-0x00000000060EA000-memory.dmp
memory/3876-19-0x00000000732B0000-0x000000007399E000-memory.dmp
memory/3876-20-0x00000000732B0000-0x000000007399E000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
304s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (13) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (13) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3308-0-0x000000007368E000-0x000000007368F000-memory.dmp
memory/3308-1-0x0000000000D00000-0x0000000000D6C000-memory.dmp
memory/3308-2-0x0000000005B00000-0x0000000005FFE000-memory.dmp
memory/3308-3-0x00000000056A0000-0x0000000005732000-memory.dmp
memory/3308-4-0x0000000073680000-0x0000000073D6E000-memory.dmp
memory/3308-5-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/3308-6-0x0000000006240000-0x0000000006252000-memory.dmp
memory/3308-7-0x0000000006630000-0x000000000666E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3344-13-0x0000000073680000-0x0000000073D6E000-memory.dmp
memory/3344-14-0x0000000073680000-0x0000000073D6E000-memory.dmp
memory/3308-16-0x0000000073680000-0x0000000073D6E000-memory.dmp
memory/3344-18-0x0000000006A90000-0x0000000006A9A000-memory.dmp
memory/3344-19-0x0000000073680000-0x0000000073D6E000-memory.dmp
memory/3344-20-0x0000000073680000-0x0000000073D6E000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
299s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4868-0-0x0000000073EBE000-0x0000000073EBF000-memory.dmp
memory/4868-1-0x0000000000D30000-0x0000000000D9C000-memory.dmp
memory/4868-2-0x0000000005AF0000-0x0000000005FEE000-memory.dmp
memory/4868-3-0x00000000056E0000-0x0000000005772000-memory.dmp
memory/4868-4-0x0000000073EB0000-0x000000007459E000-memory.dmp
memory/4868-5-0x0000000005660000-0x00000000056C6000-memory.dmp
memory/4868-6-0x0000000006270000-0x0000000006282000-memory.dmp
memory/4868-7-0x0000000006660000-0x000000000669E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1296-13-0x0000000073EB0000-0x000000007459E000-memory.dmp
memory/1296-14-0x0000000073EB0000-0x000000007459E000-memory.dmp
memory/4868-16-0x0000000073EB0000-0x000000007459E000-memory.dmp
memory/1296-18-0x0000000006D50000-0x0000000006D5A000-memory.dmp
memory/1296-19-0x0000000073EB0000-0x000000007459E000-memory.dmp
memory/1296-20-0x0000000073EB0000-0x000000007459E000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
253s
Max time network
298s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (14) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (14) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 152.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/312-0-0x000000007402E000-0x000000007402F000-memory.dmp
memory/312-1-0x0000000000F30000-0x0000000000F9C000-memory.dmp
memory/312-2-0x0000000005D10000-0x000000000620E000-memory.dmp
memory/312-3-0x0000000005810000-0x00000000058A2000-memory.dmp
memory/312-4-0x0000000074020000-0x000000007470E000-memory.dmp
memory/312-5-0x00000000059C0000-0x0000000005A26000-memory.dmp
memory/312-6-0x0000000006570000-0x0000000006582000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/404-12-0x0000000074020000-0x000000007470E000-memory.dmp
memory/404-13-0x0000000074020000-0x000000007470E000-memory.dmp
memory/312-15-0x0000000074020000-0x000000007470E000-memory.dmp
memory/404-16-0x00000000063A0000-0x00000000063DE000-memory.dmp
memory/404-18-0x0000000006870000-0x000000000687A000-memory.dmp
memory/404-19-0x0000000074020000-0x000000007470E000-memory.dmp
memory/404-20-0x0000000074020000-0x000000007470E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (16) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4364-0-0x000000007411E000-0x000000007411F000-memory.dmp
memory/4364-1-0x0000000000D70000-0x0000000000DDC000-memory.dmp
memory/4364-2-0x0000000005A60000-0x0000000005F5E000-memory.dmp
memory/4364-3-0x00000000056F0000-0x0000000005782000-memory.dmp
memory/4364-4-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/4364-5-0x0000000005640000-0x00000000056A6000-memory.dmp
memory/4364-6-0x00000000062C0000-0x00000000062D2000-memory.dmp
memory/4364-7-0x00000000066B0000-0x00000000066EE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4612-13-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/4612-14-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/4364-16-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/4612-18-0x0000000006240000-0x000000000624A000-memory.dmp
memory/4612-19-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/4612-20-0x0000000074110000-0x00000000747FE000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:37
Platform
win10-20240404-en
Max time kernel
259s
Max time network
302s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (2) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (2) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/5044-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp
memory/5044-1-0x0000000000030000-0x000000000009C000-memory.dmp
memory/5044-2-0x0000000004D90000-0x000000000528E000-memory.dmp
memory/5044-3-0x0000000004950000-0x00000000049E2000-memory.dmp
memory/5044-4-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/5044-5-0x00000000049F0000-0x0000000004A56000-memory.dmp
memory/5044-6-0x0000000004D60000-0x0000000004D72000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3604-12-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/3604-13-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/5044-15-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/3604-17-0x0000000006BF0000-0x0000000006BFA000-memory.dmp
memory/3604-18-0x00000000064D0000-0x000000000650E000-memory.dmp
memory/3604-19-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/3604-20-0x0000000073EF0000-0x00000000745DE000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
233s
Max time network
305s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4692-0-0x00000000732DE000-0x00000000732DF000-memory.dmp
memory/4692-1-0x0000000000EF0000-0x0000000000F5C000-memory.dmp
memory/4692-2-0x0000000005DA0000-0x000000000629E000-memory.dmp
memory/4692-3-0x00000000057C0000-0x0000000005852000-memory.dmp
memory/4692-4-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/4692-5-0x00000000058A0000-0x0000000005906000-memory.dmp
memory/4692-6-0x0000000005A10000-0x0000000005A22000-memory.dmp
memory/4692-7-0x0000000006830000-0x000000000686E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4408-13-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/4408-14-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/4692-16-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/4408-18-0x0000000006E20000-0x0000000006E2A000-memory.dmp
memory/4408-19-0x00000000732D0000-0x00000000739BE000-memory.dmp
memory/4408-20-0x00000000732D0000-0x00000000739BE000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
289s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (19) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/5052-0-0x0000000073C2E000-0x0000000073C2F000-memory.dmp
memory/5052-1-0x0000000000B00000-0x0000000000B6C000-memory.dmp
memory/5052-2-0x0000000005920000-0x0000000005E1E000-memory.dmp
memory/5052-3-0x0000000005420000-0x00000000054B2000-memory.dmp
memory/5052-4-0x0000000073C20000-0x000000007430E000-memory.dmp
memory/5052-5-0x00000000054C0000-0x0000000005526000-memory.dmp
memory/5052-6-0x0000000006040000-0x0000000006052000-memory.dmp
memory/5052-7-0x0000000006430000-0x000000000646E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4596-13-0x0000000073C20000-0x000000007430E000-memory.dmp
memory/4596-14-0x0000000073C20000-0x000000007430E000-memory.dmp
memory/5052-16-0x0000000073C20000-0x000000007430E000-memory.dmp
memory/4596-18-0x0000000007150000-0x000000000715A000-memory.dmp
memory/4596-19-0x0000000073C20000-0x000000007430E000-memory.dmp
memory/4596-20-0x0000000073C20000-0x000000007430E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
245s
Max time network
301s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 196.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4932-0-0x0000000073A6E000-0x0000000073A6F000-memory.dmp
memory/4932-1-0x00000000009C0000-0x0000000000A2C000-memory.dmp
memory/4932-2-0x0000000005840000-0x0000000005D3E000-memory.dmp
memory/4932-3-0x0000000005340000-0x00000000053D2000-memory.dmp
memory/4932-4-0x0000000073A60000-0x000000007414E000-memory.dmp
memory/4932-5-0x0000000005280000-0x00000000052E6000-memory.dmp
memory/4932-6-0x0000000005800000-0x0000000005812000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1032-12-0x0000000073A60000-0x000000007414E000-memory.dmp
memory/1032-13-0x0000000073A60000-0x000000007414E000-memory.dmp
memory/4932-15-0x0000000073A60000-0x000000007414E000-memory.dmp
memory/1032-16-0x00000000066D0000-0x000000000670E000-memory.dmp
memory/1032-18-0x0000000006C90000-0x0000000006C9A000-memory.dmp
memory/1032-19-0x0000000073A60000-0x000000007414E000-memory.dmp
memory/1032-20-0x0000000073A60000-0x000000007414E000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
288s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (17) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/3108-0-0x0000000073B7E000-0x0000000073B7F000-memory.dmp
memory/3108-1-0x0000000000A30000-0x0000000000A9C000-memory.dmp
memory/3108-2-0x0000000005750000-0x0000000005C4E000-memory.dmp
memory/3108-3-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/3108-4-0x0000000073B70000-0x000000007425E000-memory.dmp
memory/3108-5-0x00000000053E0000-0x0000000005446000-memory.dmp
memory/3108-6-0x0000000005F70000-0x0000000005F82000-memory.dmp
memory/3108-7-0x0000000006360000-0x000000000639E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4480-13-0x0000000073B70000-0x000000007425E000-memory.dmp
memory/4480-14-0x0000000073B70000-0x000000007425E000-memory.dmp
memory/3108-16-0x0000000073B70000-0x000000007425E000-memory.dmp
memory/4480-18-0x0000000006970000-0x000000000697A000-memory.dmp
memory/4480-19-0x0000000073B70000-0x000000007425E000-memory.dmp
memory/4480-20-0x0000000073B70000-0x000000007425E000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
235s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (16) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4164-0-0x000000007404E000-0x000000007404F000-memory.dmp
memory/4164-1-0x0000000000E30000-0x0000000000E9C000-memory.dmp
memory/4164-2-0x0000000005CD0000-0x00000000061CE000-memory.dmp
memory/4164-3-0x00000000057D0000-0x0000000005862000-memory.dmp
memory/4164-4-0x0000000074040000-0x000000007472E000-memory.dmp
memory/4164-5-0x0000000005700000-0x0000000005766000-memory.dmp
memory/4164-6-0x0000000005CA0000-0x0000000005CB2000-memory.dmp
memory/4164-7-0x00000000068A0000-0x00000000068DE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3656-13-0x0000000074040000-0x000000007472E000-memory.dmp
memory/3656-14-0x0000000074040000-0x000000007472E000-memory.dmp
memory/4164-16-0x0000000074040000-0x000000007472E000-memory.dmp
memory/3656-18-0x00000000069A0000-0x00000000069AA000-memory.dmp
memory/3656-19-0x0000000074040000-0x000000007472E000-memory.dmp
memory/3656-20-0x0000000074040000-0x000000007472E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
252s
Max time network
300s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (12) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (12) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/212-0-0x00000000734BE000-0x00000000734BF000-memory.dmp
memory/212-1-0x0000000000810000-0x000000000087C000-memory.dmp
memory/212-2-0x0000000005710000-0x0000000005C0E000-memory.dmp
memory/212-3-0x0000000005100000-0x0000000005192000-memory.dmp
memory/212-4-0x00000000734B0000-0x0000000073B9E000-memory.dmp
memory/212-5-0x0000000005310000-0x0000000005376000-memory.dmp
memory/212-6-0x0000000005E70000-0x0000000005E82000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4364-12-0x00000000734B0000-0x0000000073B9E000-memory.dmp
memory/4364-13-0x00000000734B0000-0x0000000073B9E000-memory.dmp
memory/212-15-0x00000000734B0000-0x0000000073B9E000-memory.dmp
memory/4364-16-0x0000000006070000-0x00000000060AE000-memory.dmp
memory/4364-18-0x0000000006510000-0x000000000651A000-memory.dmp
memory/4364-19-0x00000000734B0000-0x0000000073B9E000-memory.dmp
memory/4364-20-0x00000000734B0000-0x0000000073B9E000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
238s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/1516-0-0x000000007339E000-0x000000007339F000-memory.dmp
memory/1516-1-0x0000000000E90000-0x0000000000EFC000-memory.dmp
memory/1516-2-0x0000000005D00000-0x00000000061FE000-memory.dmp
memory/1516-3-0x0000000005800000-0x0000000005892000-memory.dmp
memory/1516-4-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/1516-5-0x0000000005750000-0x00000000057B6000-memory.dmp
memory/1516-6-0x0000000005CE0000-0x0000000005CF2000-memory.dmp
memory/1516-7-0x00000000067D0000-0x000000000680E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4692-13-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/4692-14-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/1516-16-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/4692-18-0x00000000060F0000-0x00000000060FA000-memory.dmp
memory/4692-19-0x0000000073390000-0x0000000073A7E000-memory.dmp
memory/4692-20-0x0000000073390000-0x0000000073A7E000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
285s
Max time network
301s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (15) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (15) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/860-0-0x00000000737BE000-0x00000000737BF000-memory.dmp
memory/860-1-0x0000000000090000-0x00000000000FC000-memory.dmp
memory/860-2-0x0000000004E10000-0x000000000530E000-memory.dmp
memory/860-3-0x0000000004A00000-0x0000000004A92000-memory.dmp
memory/860-4-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/860-5-0x0000000004980000-0x00000000049E6000-memory.dmp
memory/860-6-0x0000000004DC0000-0x0000000004DD2000-memory.dmp
memory/860-7-0x00000000059C0000-0x00000000059FE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1932-13-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/1932-14-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/860-16-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/1932-18-0x0000000006160000-0x000000000616A000-memory.dmp
memory/1932-19-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/1932-20-0x00000000737B0000-0x0000000073E9E000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
290s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (16) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (16) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4788-0-0x00000000740DE000-0x00000000740DF000-memory.dmp
memory/4788-1-0x0000000000DA0000-0x0000000000E0C000-memory.dmp
memory/4788-2-0x0000000005AA0000-0x0000000005F9E000-memory.dmp
memory/4788-3-0x0000000005690000-0x0000000005722000-memory.dmp
memory/4788-4-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/4788-5-0x0000000005730000-0x0000000005796000-memory.dmp
memory/4788-6-0x0000000006310000-0x0000000006322000-memory.dmp
memory/4788-7-0x0000000006700000-0x000000000673E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4108-13-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/4108-14-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/4788-16-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/4108-18-0x00000000062E0000-0x00000000062EA000-memory.dmp
memory/4108-19-0x00000000740D0000-0x00000000747BE000-memory.dmp
memory/4108-20-0x00000000740D0000-0x00000000747BE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
293s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (10) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (10) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/516-0-0x000000007382E000-0x000000007382F000-memory.dmp
memory/516-1-0x00000000002C0000-0x000000000032C000-memory.dmp
memory/516-2-0x0000000005240000-0x000000000573E000-memory.dmp
memory/516-3-0x0000000004C90000-0x0000000004D22000-memory.dmp
memory/516-4-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/516-5-0x0000000004BF0000-0x0000000004C56000-memory.dmp
memory/516-6-0x0000000005200000-0x0000000005212000-memory.dmp
memory/516-7-0x0000000005BF0000-0x0000000005C2E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/4888-13-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/4888-14-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/4888-16-0x0000000006C60000-0x0000000006C6A000-memory.dmp
memory/516-18-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/4888-19-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/4888-20-0x0000000073820000-0x0000000073F0E000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
257s
Max time network
299s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (17) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (17) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 104.21.81.232:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 232.81.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4260-0-0x0000000073A4E000-0x0000000073A4F000-memory.dmp
memory/4260-1-0x0000000000D60000-0x0000000000DCC000-memory.dmp
memory/4260-2-0x0000000005B30000-0x000000000602E000-memory.dmp
memory/4260-3-0x0000000005700000-0x0000000005792000-memory.dmp
memory/4260-4-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/4260-5-0x0000000005630000-0x0000000005696000-memory.dmp
memory/4260-6-0x0000000006390000-0x00000000063A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/512-12-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/512-13-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/4260-15-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/512-16-0x0000000005C70000-0x0000000005CAE000-memory.dmp
memory/512-18-0x0000000006280000-0x000000000628A000-memory.dmp
memory/512-19-0x0000000073A40000-0x000000007412E000-memory.dmp
memory/512-20-0x0000000073A40000-0x000000007412E000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
303s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (18) - Copy - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (18) - Copy - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.189.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/2640-0-0x0000000073B4E000-0x0000000073B4F000-memory.dmp
memory/2640-1-0x0000000000530000-0x000000000059C000-memory.dmp
memory/2640-2-0x0000000005360000-0x000000000585E000-memory.dmp
memory/2640-3-0x0000000004F00000-0x0000000004F92000-memory.dmp
memory/2640-4-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2640-5-0x0000000004FA0000-0x0000000005006000-memory.dmp
memory/2640-6-0x0000000005A80000-0x0000000005A92000-memory.dmp
memory/2640-7-0x0000000005E70000-0x0000000005EAE000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/748-13-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/748-14-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/2640-16-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/748-18-0x0000000006500000-0x000000000650A000-memory.dmp
memory/748-19-0x0000000073B40000-0x000000007422E000-memory.dmp
memory/748-20-0x0000000073B40000-0x000000007422E000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
234s
Max time network
302s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (19) - Copy - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (19) - Copy - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4764-0-0x000000007362E000-0x000000007362F000-memory.dmp
memory/4764-1-0x0000000000440000-0x00000000004AC000-memory.dmp
memory/4764-2-0x0000000005370000-0x000000000586E000-memory.dmp
memory/4764-3-0x0000000004D90000-0x0000000004E22000-memory.dmp
memory/4764-4-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/4764-5-0x0000000004E70000-0x0000000004ED6000-memory.dmp
memory/4764-6-0x0000000005970000-0x0000000005982000-memory.dmp
memory/4764-7-0x0000000005D60000-0x0000000005D9E000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/1140-13-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/1140-14-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/4764-16-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/1140-18-0x0000000006370000-0x000000000637A000-memory.dmp
memory/1140-19-0x0000000073620000-0x0000000073D0E000-memory.dmp
memory/1140-20-0x0000000073620000-0x0000000073D0E000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-10 15:30
Reported
2024-06-10 15:36
Platform
win10-20240404-en
Max time kernel
254s
Max time network
295s
Command Line
Signatures
Quasar RAT
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni - Copy (11) - Copy.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\uni\Uni - Copy (11) - Copy.exe'" /sc onlogon /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.net | udp |
| US | 172.67.165.196:80 | freegeoip.net | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 196.165.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | panel-slave.gl.at.ply.gg | udp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 52.111.227.14:443 | tcp | |
| US | 8.8.8.8:53 | 40.173.79.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.19:27892 | panel-slave.gl.at.ply.gg | tcp |
| US | 147.185.221.19:57059 | panel-slave.gl.at.ply.gg | tcp |
Files
memory/4336-0-0x000000007328E000-0x000000007328F000-memory.dmp
memory/4336-1-0x0000000000E90000-0x0000000000EFC000-memory.dmp
memory/4336-2-0x0000000005B90000-0x000000000608E000-memory.dmp
memory/4336-3-0x00000000057E0000-0x0000000005872000-memory.dmp
memory/4336-4-0x0000000073280000-0x000000007396E000-memory.dmp
memory/4336-5-0x0000000005760000-0x00000000057C6000-memory.dmp
memory/4336-6-0x00000000063C0000-0x00000000063D2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b70fdac25a99501e3cae11f1b775249e |
| SHA1 | 3c59226479bfdcd1b2927bcfb1a7516d4cb8dd71 |
| SHA256 | 51ff3eb450a786c1aaa75ff889f2fd256412a7b75d04277fdf9fcccc20e57246 |
| SHA512 | 43f0d5d6e5f0d5febba537c109ffdbc250bbb6e9725e635a43ec975b0353048eaeee50b6e9274cd5e072ea6b0cea32439bd37408b2528832f467f2075f74ca44 |
memory/3852-12-0x0000000073280000-0x000000007396E000-memory.dmp
memory/3852-13-0x0000000073280000-0x000000007396E000-memory.dmp
memory/4336-15-0x0000000073280000-0x000000007396E000-memory.dmp
memory/3852-16-0x0000000005D60000-0x0000000005D9E000-memory.dmp
memory/3852-18-0x0000000006440000-0x000000000644A000-memory.dmp
memory/3852-19-0x0000000073280000-0x000000007396E000-memory.dmp
memory/3852-20-0x0000000073280000-0x000000007396E000-memory.dmp