Overview

overview

10

Static

static

3

SolaraBoot...er.exe

windows10-2004-x64

10

Resubmissions

07/07/2024, 13:42

240707-qzq74awbkh 10

07/07/2024, 13:41

240707-qy9caatblp 10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/07/2024, 13:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SolaraBootstrapper.exe

  • Size

    4.7MB

  • MD5

    8e188560eca9ec36adb33425dd5ded3a

  • SHA1

    8ff3c27b9d50e0eda7a7df3a94ecd701f4632c4d

  • SHA256

    f7f233269f149d89c2178a456e9d858c366d41b525a7655a5c6633bc27914e1f

  • SHA512

    da2d41f5a960b82dd5281932eedbd2df941df1a5a7a5dbbb7a0621bb483a3366932b5b9d4b7d64ce21eb8e8a492338a48ca9ee57781d38c3427e5a31f5a68ee2

  • SSDEEP

    49152:fdKiv3rs1xLqz9kD7XH3iXQ7JY89kWfKn1KO+zW5GbClxAT8b7ZwQI7y:fUfx+zCniXQ71kWfKn1RBNfg7y

Score
10/10
quasaroffice04spywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

ships-resistance.gl.at.ply.gg:53758

Mutex

90dce01d-0491-44c9-ba30-2abd7f7ec13a

Attributes
  • encryption_key

    FBC87452408857575CDBB63E221DC85973427C45

  • install_name

    svchost.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1360
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Program Files\SubDir\svchost.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2216
      • C:\Program Files\SubDir\svchost.exe
        "C:\Program Files\SubDir\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4408
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Program Files\SubDir\svchost.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1796

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    Filesize

    3.1MB

    MD5

    73fe56dddb4bb1f64fef8002b04895da

    SHA1

    c023a3e0e6081b3ca73ed9eaaf86b1ef18c160a2

    SHA256

    399f54cf43d537dd74f697f788006def2ea1ed5c682729b5716d1e277bf610a6

    SHA512

    a9b3fbfbd8ede25f83c5944dbfc318c529a1c480e940b1828faee0e708a6cbd5aacc8b1fbf974c8baede6aa196686b98020295c22e0a4d840670d008b671dc06

    Download Submit

  • memory/1360-60-0x00007FFC72AD3000-0x00007FFC72AD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1360-62-0x0000000000B90000-0x0000000000EB4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1360-63-0x00007FFC72AD0000-0x00007FFC73591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1360-70-0x00007FFC72AD0000-0x00007FFC73591000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1752-0-0x0000000000400000-0x00000000008B6000-memory.dmp

    Filesize

    4.7MB

    Download

  • memory/4408-71-0x000000001E980000-0x000000001E9D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4408-72-0x000000001EA90000-0x000000001EB42000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4408-73-0x000000001E950000-0x000000001E962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4408-74-0x000000001EA10000-0x000000001EA4C000-memory.dmp

    Filesize

    240KB

    Download