Analysis Overview
SHA256
06cd6bdc86d2c7c4e3f4368d5f98a3f46236f19e76c0aaf9b26f8b868133a7fd
Threat Level: Known bad
The file test - Copie.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 14:11
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 14:11
Reported
2024-06-29 14:13
Platform
win11-20240611-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
| N/A | 0.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\test - Copie.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\test - Copie.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\test - Copie.exe
"C:\Users\Admin\AppData\Local\Temp\test - Copie.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.tcp.ngrok.io | udp |
| US | 3.22.30.40:14534 | 0.tcp.ngrok.io | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 40.30.22.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.13.191.225:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
| US | 3.134.39.220:14534 | 0.tcp.ngrok.io | tcp |
Files
memory/1088-0-0x00007FFFD54F3000-0x00007FFFD54F5000-memory.dmp
memory/1088-1-0x00000000008D0000-0x0000000000BF4000-memory.dmp
memory/1088-2-0x00007FFFD54F0000-0x00007FFFD5FB2000-memory.dmp
memory/1088-3-0x000000001C130000-0x000000001C180000-memory.dmp
memory/1088-4-0x000000001C240000-0x000000001C2F2000-memory.dmp
memory/1088-7-0x000000001C1A0000-0x000000001C1B2000-memory.dmp
memory/1088-8-0x000000001C200000-0x000000001C23C000-memory.dmp
memory/1088-9-0x00007FFFD54F3000-0x00007FFFD54F5000-memory.dmp
memory/1088-10-0x00007FFFD54F0000-0x00007FFFD5FB2000-memory.dmp