Malware Analysis Report

2024-10-23 19:04

Sample ID 240629-xtp66stelc
Target Client-built.exe
SHA256 3dfe010c8df45dbddb6707085c2d3c686288312bae8015a3a639a505cd6d7ba6
Tags
zzzz quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dfe010c8df45dbddb6707085c2d3c686288312bae8015a3a639a505cd6d7ba6

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

zzzz quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 19:08

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 19:08

Reported

2024-06-29 19:11

Platform

win11-20240611-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 880 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 880 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 880 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 880 wrote to memory of 3848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ORoukgUd9aj4.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 13.58.157.220:13597 8.tcp.ngrok.io tcp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 13.58.157.220:13597 8.tcp.ngrok.io tcp
US 13.58.157.220:13597 8.tcp.ngrok.io tcp
US 13.58.157.220:13597 8.tcp.ngrok.io tcp
US 13.58.157.220:13597 8.tcp.ngrok.io tcp

Files

memory/4604-0-0x00007FFC0E963000-0x00007FFC0E965000-memory.dmp

memory/4604-1-0x0000000000180000-0x00000000004A4000-memory.dmp

memory/4604-2-0x00007FFC0E960000-0x00007FFC0F422000-memory.dmp

memory/4604-3-0x000000001B1B0000-0x000000001B200000-memory.dmp

memory/4604-4-0x000000001B6C0000-0x000000001B772000-memory.dmp

memory/4604-7-0x000000001B650000-0x000000001B662000-memory.dmp

memory/4604-8-0x000000001C4D0000-0x000000001C50C000-memory.dmp

memory/4604-9-0x00007FFC0E963000-0x00007FFC0E965000-memory.dmp

memory/4604-10-0x00007FFC0E960000-0x00007FFC0F422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ORoukgUd9aj4.bat

MD5 5e37f1653168f5691d4ec309ca5eafb3
SHA1 3d923f63c3f2154143a77cc9395fe9ca0e400632
SHA256 8a546d9af6411de48b28e75bed475a064436ccd0e53875ca29b70d6e780fd5b2
SHA512 9444c826e251c36199bb22f347c287f37bd9904f42ad0c7d6e5dedc590c4438229fd24f8960088049d9c7daa6e66a91a3b47ac93d2167ca1ab625efade316f1c

memory/4604-16-0x00007FFC0E960000-0x00007FFC0F422000-memory.dmp