Analysis Overview
SHA256
38333105568fce734bdd879230abda47774869fa84ab37d956287d9ba197314c
Threat Level: Known bad
The file Client-built - Copie.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 14:28
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 14:28
Reported
2024-06-29 14:31
Platform
win11-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.ngrok.io | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built - Copie.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.tcp.ngrok.io | udp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.140.223.7:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:19468 | 6.tcp.ngrok.io | tcp |
| US | 3.141.142.211:19468 | 6.tcp.ngrok.io | tcp |
Files
memory/224-0-0x00007FFF7D5D3000-0x00007FFF7D5D5000-memory.dmp
memory/224-1-0x0000000000590000-0x00000000008B4000-memory.dmp
memory/224-2-0x00007FFF7D5D0000-0x00007FFF7E092000-memory.dmp
memory/224-3-0x0000000002AA0000-0x0000000002AF0000-memory.dmp
memory/224-4-0x000000001BED0000-0x000000001BF82000-memory.dmp
memory/224-5-0x000000001C5C0000-0x000000001CAE8000-memory.dmp
memory/224-7-0x00007FFF7D5D3000-0x00007FFF7D5D5000-memory.dmp
memory/224-8-0x00007FFF7D5D0000-0x00007FFF7E092000-memory.dmp