Analysis Overview
SHA256
3dfe010c8df45dbddb6707085c2d3c686288312bae8015a3a639a505cd6d7ba6
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-29 19:08
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 19:08
Reported
2024-06-29 19:11
Platform
win11-20240611-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 8.tcp.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4604 wrote to memory of 880 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\cmd.exe |
| PID 4604 wrote to memory of 880 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\cmd.exe |
| PID 880 wrote to memory of 3700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 880 wrote to memory of 3700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 880 wrote to memory of 3848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 880 wrote to memory of 3848 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ORoukgUd9aj4.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.tcp.ngrok.io | udp |
| US | 13.58.157.220:13597 | 8.tcp.ngrok.io | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 13.58.157.220:13597 | 8.tcp.ngrok.io | tcp |
| US | 13.58.157.220:13597 | 8.tcp.ngrok.io | tcp |
| US | 13.58.157.220:13597 | 8.tcp.ngrok.io | tcp |
| US | 13.58.157.220:13597 | 8.tcp.ngrok.io | tcp |
Files
memory/4604-0-0x00007FFC0E963000-0x00007FFC0E965000-memory.dmp
memory/4604-1-0x0000000000180000-0x00000000004A4000-memory.dmp
memory/4604-2-0x00007FFC0E960000-0x00007FFC0F422000-memory.dmp
memory/4604-3-0x000000001B1B0000-0x000000001B200000-memory.dmp
memory/4604-4-0x000000001B6C0000-0x000000001B772000-memory.dmp
memory/4604-7-0x000000001B650000-0x000000001B662000-memory.dmp
memory/4604-8-0x000000001C4D0000-0x000000001C50C000-memory.dmp
memory/4604-9-0x00007FFC0E963000-0x00007FFC0E965000-memory.dmp
memory/4604-10-0x00007FFC0E960000-0x00007FFC0F422000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ORoukgUd9aj4.bat
| MD5 | 5e37f1653168f5691d4ec309ca5eafb3 |
| SHA1 | 3d923f63c3f2154143a77cc9395fe9ca0e400632 |
| SHA256 | 8a546d9af6411de48b28e75bed475a064436ccd0e53875ca29b70d6e780fd5b2 |
| SHA512 | 9444c826e251c36199bb22f347c287f37bd9904f42ad0c7d6e5dedc590c4438229fd24f8960088049d9c7daa6e66a91a3b47ac93d2167ca1ab625efade316f1c |
memory/4604-16-0x00007FFC0E960000-0x00007FFC0F422000-memory.dmp