Analysis Overview
SHA256
dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c
Threat Level: Known bad
The file BootstrapperV1.11.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Executes dropped EXE
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 02:03
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 02:03
Reported
2024-08-01 02:06
Platform
win7-20240705-en
Max time kernel
149s
Max time network
136s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp |
Files
memory/2720-0-0x000007FEF5AC3000-0x000007FEF5AC4000-memory.dmp
memory/2720-1-0x00000000013D0000-0x00000000016F4000-memory.dmp
memory/2720-2-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | f9da53f4f072c15dbf78b015a10575a2 |
| SHA1 | 96ea78662e9f44d6b4dcbbdc05bb4026188697ff |
| SHA256 | dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c |
| SHA512 | be39c735e3aa3a361b3ad2fd766182df0fa2dabbb50c3793f8d92d3c5ee1243d0111e2b40f47a2a68ab0a4e107bb50e411281b6d91fb4a17d0dfb8dd761dfa6f |
memory/2720-7-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp
memory/2700-9-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp
memory/2700-8-0x0000000001160000-0x0000000001484000-memory.dmp
memory/2700-10-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp
memory/2700-11-0x000007FEF5AC0000-0x000007FEF64AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 02:03
Reported
2024-08-01 02:06
Platform
win10v2004-20240730-en
Max time kernel
125s
Max time network
144s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2892 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2892 wrote to memory of 1680 | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2892 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 2892 wrote to memory of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 3024 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3024 wrote to memory of 2672 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.11.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| N/A | 10.2.0.2:4782 | tcp | |
| N/A | 10.2.0.2:4782 | tcp |
Files
memory/2892-0-0x00007FFB28F93000-0x00007FFB28F95000-memory.dmp
memory/2892-1-0x0000000000A80000-0x0000000000DA4000-memory.dmp
memory/2892-2-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | f9da53f4f072c15dbf78b015a10575a2 |
| SHA1 | 96ea78662e9f44d6b4dcbbdc05bb4026188697ff |
| SHA256 | dd37983f893fe6aec0c2721e910896122de0549306fbc60277c3adf8a991bd0c |
| SHA512 | be39c735e3aa3a361b3ad2fd766182df0fa2dabbb50c3793f8d92d3c5ee1243d0111e2b40f47a2a68ab0a4e107bb50e411281b6d91fb4a17d0dfb8dd761dfa6f |
memory/2892-8-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp
memory/3024-9-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp
memory/3024-10-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp
memory/3024-11-0x000000001B7D0000-0x000000001B820000-memory.dmp
memory/3024-12-0x000000001B8E0000-0x000000001B992000-memory.dmp
memory/3024-13-0x00007FFB28F90000-0x00007FFB29A51000-memory.dmp