Malware Analysis Report

2024-10-23 19:04

Sample ID 240629-rtdkgszapb
Target Client-built - Copie.exe
SHA256 38333105568fce734bdd879230abda47774869fa84ab37d956287d9ba197314c
Tags
testip quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38333105568fce734bdd879230abda47774869fa84ab37d956287d9ba197314c

Threat Level: Known bad

The file Client-built - Copie.exe was found to be: Known bad.

Malicious Activity Summary

testip quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 14:28

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 14:28

Reported

2024-06-29 14:31

Platform

win11-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 6.tcp.ngrok.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.tcp.ngrok.io udp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.140.223.7:19468 6.tcp.ngrok.io tcp
US 3.141.142.211:19468 6.tcp.ngrok.io tcp
US 3.141.142.211:19468 6.tcp.ngrok.io tcp
US 3.141.142.211:19468 6.tcp.ngrok.io tcp
US 3.141.142.211:19468 6.tcp.ngrok.io tcp

Files

memory/224-0-0x00007FFF7D5D3000-0x00007FFF7D5D5000-memory.dmp

memory/224-1-0x0000000000590000-0x00000000008B4000-memory.dmp

memory/224-2-0x00007FFF7D5D0000-0x00007FFF7E092000-memory.dmp

memory/224-3-0x0000000002AA0000-0x0000000002AF0000-memory.dmp

memory/224-4-0x000000001BED0000-0x000000001BF82000-memory.dmp

memory/224-5-0x000000001C5C0000-0x000000001CAE8000-memory.dmp

memory/224-7-0x00007FFF7D5D3000-0x00007FFF7D5D5000-memory.dmp

memory/224-8-0x00007FFF7D5D0000-0x00007FFF7E092000-memory.dmp