Analysis Overview
SHA256
dd0613d4b34cf59b2ea9a3a0a9f4ce1c02dd0601c0240f61e2b980e16c42667a
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 11:25
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 11:25
Reported
2024-06-29 11:27
Platform
win11-20240611-en
Max time kernel
116s
Max time network
117s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 13.58.157.220:15015 | 8.tcp.ngrok.io | tcp |
| US | 8.8.8.8:53 | 220.157.58.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 3.142.81.166:15015 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:15015 | 8.tcp.ngrok.io | tcp |
| US | 3.142.81.166:15015 | 8.tcp.ngrok.io | tcp |
Files
memory/1436-0-0x00007FFF3C063000-0x00007FFF3C065000-memory.dmp
memory/1436-1-0x0000000000010000-0x0000000000334000-memory.dmp
memory/1436-2-0x00007FFF3C060000-0x00007FFF3CB22000-memory.dmp
memory/1436-3-0x000000001B040000-0x000000001B090000-memory.dmp
memory/1436-4-0x000000001B5B0000-0x000000001B662000-memory.dmp
memory/1436-7-0x000000001B4F0000-0x000000001B502000-memory.dmp
memory/1436-8-0x000000001B550000-0x000000001B58C000-memory.dmp
memory/1436-9-0x000000001CBF0000-0x000000001D118000-memory.dmp
memory/1436-11-0x00007FFF3C063000-0x00007FFF3C065000-memory.dmp
memory/1436-12-0x00007FFF3C060000-0x00007FFF3CB22000-memory.dmp