Analysis Overview
SHA256
a003924092f4eed3281ccd3f82d95548a809a09436ee07b01b6d738a7c1f809d
Threat Level: Known bad
The file Rat remove.bat was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Checks computer location settings
Looks up external IP address via web service
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Runs ping.exe
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 22:55
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 22:55
Reported
2024-06-27 22:57
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Rat remove.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\SCHTASKS.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Rat remove.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Rat remove.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Rat remove.exe
"C:\Users\Admin\AppData\Local\Temp\Rat remove.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Defender Anti-Malware Disable Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Rat remove.exe" /rl HIGHEST /f
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "Windows Defender Anti-Malware Disable Startup" /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sQepBmbV26RD.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Rat remove.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Rat remove.exe'" /sc onlogon /rl HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 147.185.221.20:47638 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.173.189.20.in-addr.arpa | udp |
Files
memory/4528-0-0x000000007542E000-0x000000007542F000-memory.dmp
memory/4528-1-0x0000000000A80000-0x0000000000AEC000-memory.dmp
memory/4528-2-0x0000000005A90000-0x0000000006034000-memory.dmp
memory/4528-3-0x0000000005620000-0x00000000056B2000-memory.dmp
memory/4528-4-0x0000000075420000-0x0000000075BD0000-memory.dmp
memory/4528-5-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/4528-6-0x0000000005A60000-0x0000000005A72000-memory.dmp
memory/4528-7-0x0000000006760000-0x000000000679C000-memory.dmp
memory/4528-9-0x0000000006D50000-0x0000000006D5A000-memory.dmp
memory/4528-10-0x000000007542E000-0x000000007542F000-memory.dmp
memory/4528-11-0x0000000075420000-0x0000000075BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sQepBmbV26RD.bat
| MD5 | 6e458a8aa967ba9244aa970902da1abb |
| SHA1 | e2cf7d52250b9aa4fd48c8cc151c79350c68190e |
| SHA256 | 4c2355377886427fb4bc31cf1ceca35cd5448e83b227fe7daff1c26462db498f |
| SHA512 | 63e61304ac1a90cfd892e10338169afd3bf46f929ad966ef005857e4c9b9772d24e28f7dc2c356dfb473c8d8b3cff2ca3903ffbb5e663755f1be24bf1f4cfe89 |
memory/4528-17-0x0000000075420000-0x0000000075BD0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Logs\06-27-~1
| MD5 | d5152d58131f1aa7b17ec39e7a6757a6 |
| SHA1 | a334ebf7fbcaf30b155cfc83ab024392a43c3ca5 |
| SHA256 | 77bfc9c1d8e32109cae8fcc52d9d44de4c1d50af786558f0b7876417c7ca94be |
| SHA512 | 3fbe74754c2c07584a493d1333d73c0f6db29e7406b35abc19c759a1c68d2e4c0e94f59d5323fd4eda9292d447d2a2a4bed1ebd8288a3becd4087a9c57f9be11 |