Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    31-07-2024 23:05

General

  • Target

    Solara.exe

  • Size

    3.1MB

  • MD5

    18f4ed548b5f7d78671bb4ab4bc3affb

  • SHA1

    62fc7cdc7d84cc52147f7782f5dd28616bee09fd

  • SHA256

    bc1bee5bf891b3cb91c8e74927634250aaa9f2fed3bb3c965e6106f34e5cc54b

  • SHA512

    b5ed744f47b97ec7a0bc224f50035da9e9424a8f1820763ff650e384c0acc251ac28b50f5bc0fa5b787b9795709a37ca082d5dc649cade7990a1ca6fe8e6f153

  • SSDEEP

    49152:qvkt62XlaSFNWPjljiFa2RoUYIAzD7MI2K7oGdfdgTHHB72eh2NT:qv462XlaSFNWPjljiFXRoUYIAzD7N

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.2.0.2:4782

Mutex

cc6f57e2-b224-4b7b-bfae-0b1e6f95f22f

Attributes
  • encryption_key

    48E15FD52A3A24CE1F767DA2AD76CB0B862CC879

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 46 IoCs
  • Suspicious use of SendNotifyMessage 46 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3712
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1788

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

    Filesize

    3.1MB

    MD5

    18f4ed548b5f7d78671bb4ab4bc3affb

    SHA1

    62fc7cdc7d84cc52147f7782f5dd28616bee09fd

    SHA256

    bc1bee5bf891b3cb91c8e74927634250aaa9f2fed3bb3c965e6106f34e5cc54b

    SHA512

    b5ed744f47b97ec7a0bc224f50035da9e9424a8f1820763ff650e384c0acc251ac28b50f5bc0fa5b787b9795709a37ca082d5dc649cade7990a1ca6fe8e6f153

  • memory/1008-0-0x00007FFA0B5C3000-0x00007FFA0B5C4000-memory.dmp

    Filesize

    4KB

  • memory/1008-1-0x0000000000470000-0x0000000000794000-memory.dmp

    Filesize

    3.1MB

  • memory/1008-2-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

  • memory/1008-8-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

  • memory/3712-9-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

  • memory/3712-10-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

  • memory/3712-11-0x000000001B660000-0x000000001B6B0000-memory.dmp

    Filesize

    320KB

  • memory/3712-12-0x000000001BB40000-0x000000001BBF2000-memory.dmp

    Filesize

    712KB

  • memory/3712-13-0x000000001C330000-0x000000001C856000-memory.dmp

    Filesize

    5.1MB

  • memory/3712-20-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB

  • memory/3712-21-0x00007FFA0B5C0000-0x00007FFA0BFAC000-memory.dmp

    Filesize

    9.9MB