Analysis Overview
SHA256
e1c751098a77a18b6bbf1692252be42b124b3b1f477b098dd95fff76499f5106
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 15:56
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 15:56
Reported
2024-06-29 15:59
Platform
win11-20240508-en
Max time kernel
143s
Max time network
92s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IzxQLjMDOBwY.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KByFKD8Pg248.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EsWUzRCdqM9u.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQfLUXo3u9CZ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H08XBNZ3kCAR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5pZfkmEeSwOX.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9eZ6xR30zuEj.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1rBi3MZde2pT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8vDnK4x6C2ju.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\426T8KN1ZIko.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWRcIlvwRzHq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EhtcON4PxOVd.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmjvErjbJTvT.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FLCiiJFqVK6L.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMw8fRBvmS00.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
Files
memory/3708-0-0x00007FFD1BE63000-0x00007FFD1BE65000-memory.dmp
memory/3708-1-0x0000000000D20000-0x0000000001044000-memory.dmp
memory/3708-2-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp
memory/3708-3-0x000000001BD60000-0x000000001BDB0000-memory.dmp
memory/3708-4-0x000000001C6B0000-0x000000001C762000-memory.dmp
memory/3708-9-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IzxQLjMDOBwY.bat
| MD5 | 4e658046535f95ffede57abf95a9d9c4 |
| SHA1 | ad73abda4d2385ce96f871901498ace5f78a3ac3 |
| SHA256 | c6773c09ed61c0ee5a40ad0357fefc7eda2ab1d1960e89f89fb946914627ce87 |
| SHA512 | ce708c4e7ab80ace6b6f217eb9843215be455e6f8aa2b947f4d72324424204a0be0b51b05353b87607d1d0b08ea87013d515aaeb4c49fd8b07d53bbfdf258b0b |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
| MD5 | 15eab799098760706ed95d314e75449d |
| SHA1 | 273fb07e40148d5c267ca53f958c5075d24c4444 |
| SHA256 | 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778 |
| SHA512 | 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c |
memory/1136-12-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KByFKD8Pg248.bat
| MD5 | 0cf254dc66e99a0cf93440ef167bb06b |
| SHA1 | d402a081b390901bc3ec32c4b907cdb49f9f11bc |
| SHA256 | 5fa265c69175be1b9affa2e5be0e2dd6a7304be3b1f3c977e41ea2b057a1be92 |
| SHA512 | bf40d75138975253db5fd78fddba78fae005e153adf4b33a6a9f767b4c61e991c018ee03d489882b931ff5d6f42bed739631cfe175716e67decda0692316169e |
memory/1136-17-0x00007FFD1BE60000-0x00007FFD1C922000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EsWUzRCdqM9u.bat
| MD5 | b1345bdb940d472b156af485340df177 |
| SHA1 | 5db0083ba0c2200afb7a98909b0b6623c9e893d3 |
| SHA256 | e2e0082e02e11b2f778f72b5060d1f4f5a74495161d8313ebb69215d75ae2ab9 |
| SHA512 | 7946026fbb6ce2db7ab715d1b38210de12f99f8d45a00004d3ba1ad1814f794dba41fb186b5a0e4dce6eac23da6fd043857d4dd96aa04ed996c11fcbc430ded3 |
C:\Users\Admin\AppData\Local\Temp\eQfLUXo3u9CZ.bat
| MD5 | 4d683e780d91dd3338002b9c56b3662b |
| SHA1 | ccdbaa844d04e97dedcdc26bde2277c793169c99 |
| SHA256 | 0493f8490c04a58422ba144587b1ca031c0a7a0d6319995963d0abb2c42393d6 |
| SHA512 | 98a60606b751789cee4aa2690a3f353160dffaf70c34990f1b96cf67bc4a9223a39ac8b8a1c4cb1ade1011ac1d50665082dec40e6eb921a53de93b7f5d37a76d |
C:\Users\Admin\AppData\Local\Temp\H08XBNZ3kCAR.bat
| MD5 | ada16fd557cad0068924b737903b3231 |
| SHA1 | 3adeb190bd2db88fa72843696c8291a60708ea1a |
| SHA256 | 9cd07c1b383406857d0c2af3ff6f804894f6a838b7a2ef9659238959fcd8bc0d |
| SHA512 | 68795a01c1d62bff7ff2d18be540d4a779b38d5760e85fd5ee3d01d7501b1cd9b51cdd746f9a0ca4d31b9212e834eddbb0e2a5db058ed9351d082629fca9fe0e |
C:\Users\Admin\AppData\Local\Temp\5pZfkmEeSwOX.bat
| MD5 | 2f80644ed28aae02ea303d5641f06a2b |
| SHA1 | 0b21692d724b2743e3b25613ca868a0bcf1dfd07 |
| SHA256 | f2b992ca5c119b468c9f5ad6ee545fb42beb434a62fb523cfbacecf6c5f23955 |
| SHA512 | 376e12eb6b39a95ef49432a97a15ccfbdd5b5b178dae0a60dee8b25c9dad82236cef57d28d457989d3a9aad6500d67330521e6e029f308784a4a915673c9a026 |
C:\Users\Admin\AppData\Local\Temp\9eZ6xR30zuEj.bat
| MD5 | 4c38a548acd35fff83c1d7d0df3dbfb5 |
| SHA1 | fa14b7f7a1afebf158232e4413eadecfd5acdd1a |
| SHA256 | 46fcbcdd5ca39d3e33d8d781caf54b79d9160edce3910911eeab5fcff09d74a0 |
| SHA512 | 5a27333f1ecfac85ea959f6f43a3f8f5f3b4e54aeee9636eef7bb243cdc8c69b2d966d589e7491638698ac3cd1cfdf57c3940d8eb4e0e82381468f5421859f84 |
C:\Users\Admin\AppData\Local\Temp\1rBi3MZde2pT.bat
| MD5 | 1cdf13b8c2ad2c307b2ed88913c673bb |
| SHA1 | f80d3963c3e6c85b3be829f2264b7cf6b4563433 |
| SHA256 | 1bf3d90a6eccd00c0638beeab8f5a162e3c776050aa5d138725d89405ee0ecf2 |
| SHA512 | b2539a6d254dd7e1e57e0029ca18ee05935c33d6a3bd59e22e9be0b2c0f6a6736d66669ecc8fc25a32260740ffdb0b45a6e64fa76267beafa576e718205661cc |
C:\Users\Admin\AppData\Local\Temp\8vDnK4x6C2ju.bat
| MD5 | e71e0f56efd2c8051fe5ce5ae283dfcc |
| SHA1 | e39967be73308a25d6f98dca3d390bd92bf4ecc9 |
| SHA256 | e73fc2a0bce1148d13684f518ebb74cbfbe66c9f548011305642e09cc061332b |
| SHA512 | 57c75dcd4f38636fcc08744efa0d22e42cd9db8fb921fb3a1ec5dd76b0f3dca895313ddeacaa65a0c6b4ba5df34cf4635f018e1287a970ddabe6f605d3aa1a4c |
C:\Users\Admin\AppData\Local\Temp\426T8KN1ZIko.bat
| MD5 | 72d38f7a3a7fd17f0016642b67e6d3fa |
| SHA1 | e86460dc5f358c5dbc52f91a38c3c8d30eb4cf7a |
| SHA256 | f893347f7e06f29511bfd244aa2fe37ea817012bd817fbb6a102580aaca2fc57 |
| SHA512 | 171430faeb182a30ab1c7a6fd2544a2feb666f64c35c50a36e03efb1b5e99402f80ae198c48a9a11d42f87696c027825cc9cee23f011b595773b0194ae157967 |
C:\Users\Admin\AppData\Local\Temp\nWRcIlvwRzHq.bat
| MD5 | 70c58d7eb8d156833de135947b2563f8 |
| SHA1 | a9ed92d22ed96e22a3577b9ab2a41471227b13de |
| SHA256 | 2087494464e5d70ebd059ce44455f4a1e5a1168ae91b4caba08a73811e555a46 |
| SHA512 | 52561710123a0c12b47141ac5d1c0b51de3c57b096ea8bb26099b465e966651a4efa1b6e6dd9a7f7a3e4a945964fdab5d35e84e95c2337beaf327d2c191029cf |
C:\Users\Admin\AppData\Local\Temp\EhtcON4PxOVd.bat
| MD5 | 062c364a85fc54cbec1cdd84835137da |
| SHA1 | d972ecb5fce5c92c71b2b0e7bd824e023308b8bc |
| SHA256 | 9adc28153db6d21d8c40566375ac5ab244d7bf40cdc878ddbd1596f4aea78602 |
| SHA512 | 5052ec09ac49ee1e1960ecee1b530b1c0aa1daa64e21146d6e986908ef42022f27f28decc92f30b35096f475ef079836c4a6089bee9a709fc6568bb284b08c03 |
C:\Users\Admin\AppData\Local\Temp\GmjvErjbJTvT.bat
| MD5 | 5cd7837ee3ee464938d066eccd39987c |
| SHA1 | 2755e80ffe612479493a759961bcb6b9c274f6c1 |
| SHA256 | 146aff142db17c71744fb91bdbb726c6d1e1aafd506164a2a5a3e35ea9d9d2b5 |
| SHA512 | cb71d3e5c982dd81eda814f03897701776426f1a41f006eeeffbd783f61b4bc162e0a9157492c9c9ad7bf83affac67c30a0569fe68f17f40dc612eef94af97d0 |
C:\Users\Admin\AppData\Local\Temp\FLCiiJFqVK6L.bat
| MD5 | 523ba0fc43081da4bd1b69b8e9ee341a |
| SHA1 | 1f3af3254208aea6613d4bc692693d6fb575a048 |
| SHA256 | 47e52d9722f4cb2d1f383a66fd14d63e0ea49b6480af7c4f00378381b280f91f |
| SHA512 | 2569a34c4c5c3bae70a70767dc0b6f4f22592a95820bb410905c8aab98cd6282456f9fd415e8c0155eaa7bb287eea6dd9470fd7b0eb0eedc8b694c107fd3d354 |
C:\Users\Admin\AppData\Local\Temp\aMw8fRBvmS00.bat
| MD5 | 32fa87389bb6458ef6e8ccada5094617 |
| SHA1 | 6184fb16eea27faf3789ff281cac0ea27ec5700c |
| SHA256 | 7c47cdd4bf324127590f579fed44f0f8d6fc3f3fbc80a4c6aee878c1d72f7857 |
| SHA512 | fc404f6d1b8b7ed71210f1f05697d37a06cc99214b7e5dbdb7c25f400cf36d5350a9c930b545e998f28456542ae9117984ffdbfba836639ce4b4cdff913bb462 |