Analysis Overview
SHA256
cf12af32289d5d1913e941419e809fb0d8bb24ba17adc1b6e108075acce35d1f
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 16:29
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 16:29
Reported
2024-06-29 16:32
Platform
win11-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
| N/A | 4.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\evZrUt2cYisq.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q8PEfSuQf1V1.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oK5dt5jgicqR.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\G3knl0HyWMkD.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dVUSwYo0qsFJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aM4jSNgvDE7V.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BLjiTePsDDst.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
| US | 8.8.8.8:53 | 4.tcp.ngrok.io | udp |
Files
memory/1248-1-0x0000000000470000-0x0000000000794000-memory.dmp
memory/1248-0-0x00007FF991AE3000-0x00007FF991AE5000-memory.dmp
memory/1248-2-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/1248-3-0x000000001B890000-0x000000001B8E0000-memory.dmp
memory/1248-4-0x000000001B9A0000-0x000000001BA52000-memory.dmp
memory/1248-9-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evZrUt2cYisq.bat
| MD5 | 19f8d875f644a6d43ef64a3681414f38 |
| SHA1 | 55a61fa8ca1622aa7d73729aa04e952115d38b50 |
| SHA256 | 26bf226a2822c5580c8fbde333a97db5c491a328d2ebe88d54decc1d83d5a791 |
| SHA512 | 90245264a4783033e3687b349bfbeaa3d3053aedbe7171183a66d9f5f32dbe3751fb2dbb80c622fa4317e781e2bb90c5f5c109ad65b27995ea975143e549614e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log
| MD5 | 15eab799098760706ed95d314e75449d |
| SHA1 | 273fb07e40148d5c267ca53f958c5075d24c4444 |
| SHA256 | 45030bd997f50bb52c481f7bc86fac5f375d08911bcc106b98d9d8f0c2ce9778 |
| SHA512 | 50c125e2a98740db0a0122d7f4de97c50d84623e800b3d3e173049c8e28ff0fbe4add7677bc56cb2228f78ed17522f67ae8f1b85f62824012414ce38ce0b500c |
memory/3148-12-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
memory/3148-16-0x00007FF991AE0000-0x00007FF9925A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Q8PEfSuQf1V1.bat
| MD5 | b19188c13b5ebefb1ccfc251fb5e48d4 |
| SHA1 | 992ff0badab1e263b7d44ff4aa9c835fed493073 |
| SHA256 | 5ffb761406a4f8a3a6446b850d4f2c09ceeeebc665c3b9abc10d1eb4dc1a4254 |
| SHA512 | 7da0e54088c73345d171f62a8323b0eb4d35bfb942e7c20161852571ba568a61c7431ee2e504b48219c541b799fc7b086c6c15a3127a895d628c2b6e88254411 |
C:\Users\Admin\AppData\Local\Temp\oK5dt5jgicqR.bat
| MD5 | a7f654aba9062e7bd3d9df25f7cf2d70 |
| SHA1 | 78c3cb0b078dfad83a28865045cf34a351dfb64c |
| SHA256 | d44fcfcd1892945a93de8d003d8884b6e16dd6828cc9bcca8ec20df4738f26c8 |
| SHA512 | 3d73bbdab55a8b4c504290d15ae4dca230ad921df17e3db2e37e3ca0d55babc4abe51b42ac9a8a52271021dfe461e6c6f1a38c97aeb0ca8b5927d937f8c65d10 |
C:\Users\Admin\AppData\Local\Temp\G3knl0HyWMkD.bat
| MD5 | e39595c67b506ecc434519d99d32a50a |
| SHA1 | 25384a98b071dc8e9c735f5a6d8301391477e389 |
| SHA256 | 15fc0477722aeca77451469f3574255c2aa8ad5ebcecf104a6dab01fed0f7c62 |
| SHA512 | 15eea144d0634acf25e3d74593d2a867b06c903e2a810ecd9c18d2d9ea13e35bf0e16bea0aa6079b5ad17f858c8ec0a397d35e5097f94a7e83ab42987de8c625 |
C:\Users\Admin\AppData\Local\Temp\dVUSwYo0qsFJ.bat
| MD5 | 25b340c805f3a1097fb751b9eeb215c5 |
| SHA1 | 5b969947161bfa5300ca707e52c017eb00c24ef4 |
| SHA256 | b9aadcc4cfd99f8a0d2a83241caedd199ba7262a024fb10e20bbbd811fd9e119 |
| SHA512 | ba96ede1708a7e900819852a964a4011b37ecd7b292ec0631ce47d8cf1e9b3d51fc27ec63dbabd355738b63667665ea89df3ba9d34c5efbca7b9bc9afedf00a6 |
C:\Users\Admin\AppData\Local\Temp\aM4jSNgvDE7V.bat
| MD5 | 480e1391cfa2466369599c1d6ff27bf6 |
| SHA1 | d9d1d45bb8c753d3092e76731b68c0f02ebd4091 |
| SHA256 | 4eb1eb9ed9279dbf40be4380990f3b60a73b016e7a793d5926d9d4dc410a7e60 |
| SHA512 | 68a02de36bdaec46e3a3beb6507f4f9db2f36b55a5eebc401751e993fa1dfd770d9f03b2856b4b8713f627ce9aca9e2c21181f6b2c35895ab1944a3d8015000e |
C:\Users\Admin\AppData\Local\Temp\BLjiTePsDDst.bat
| MD5 | c772fccbaa6a74a0e574332859348518 |
| SHA1 | afb4536d75b09bf6b5f75aafb6025737c030e3cc |
| SHA256 | 807c8f3e1b9d4d2f6a8b98bb917b627c551bd24a6564d088812fcfccd306f052 |
| SHA512 | a602e83b0e66a3beda7bc60ad12f8ebec3dd6edbf87d4f0bb5207f4976f0c9814db34fc2c6a8e0de3b9c3dcbef5d439d461f3ab8a1571cc042f86fdd0754e0da |