Analysis Overview
SHA256
2dbd31f6ed2f964d191b7077c2acecc931648cc2f1a2a43f57b0cbb35d1b72c7
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-01 14:59
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-01 14:59
Reported
2024-08-01 15:02
Platform
win10v2004-20240730-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3132 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\cmd.exe |
| PID 3132 wrote to memory of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\cmd.exe |
| PID 2680 wrote to memory of 4392 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2680 wrote to memory of 4392 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 2680 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 2680 wrote to memory of 2708 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1hjgNavw45ZJ.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 195.88.218.76:4782 | tcp | |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 76.218.88.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
Files
memory/3132-0-0x00007FFB904E3000-0x00007FFB904E5000-memory.dmp
memory/3132-1-0x0000000000FF0000-0x0000000001314000-memory.dmp
memory/3132-2-0x00007FFB904E0000-0x00007FFB90FA1000-memory.dmp
memory/3132-3-0x000000001CA20000-0x000000001CA70000-memory.dmp
memory/3132-4-0x000000001CB30000-0x000000001CBE2000-memory.dmp
memory/3132-5-0x000000001C9F0000-0x000000001CA02000-memory.dmp
memory/3132-6-0x000000001CAB0000-0x000000001CAEC000-memory.dmp
memory/3132-7-0x00007FFB904E3000-0x00007FFB904E5000-memory.dmp
memory/3132-8-0x00007FFB904E0000-0x00007FFB90FA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1hjgNavw45ZJ.bat
| MD5 | 0eefeb9434c36f223b930bd6b88badbe |
| SHA1 | 7967bbc76298218580d7bff5bdebe67124006767 |
| SHA256 | 2ddf665991f7f742384c54d79e525e7006e388328cbacb2dcbffb0d8f09ee5c0 |
| SHA512 | 1cd6249d2785d56d4f62b3b8d8a7021bf2362e00df6019e95514660800c8979f5307b8b5a0a8444961b995325828aaea86a6ef435de5e0a77cc3746e215010de |
memory/3132-14-0x00007FFB904E0000-0x00007FFB90FA1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-01 14:59
Reported
2024-08-01 15:02
Platform
win7-20240708-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp | |
| NL | 195.88.218.76:4782 | tcp |
Files
memory/2380-0-0x000007FEF5D63000-0x000007FEF5D64000-memory.dmp
memory/2380-1-0x0000000001110000-0x0000000001434000-memory.dmp
memory/2380-2-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp
memory/2380-3-0x000007FEF5D63000-0x000007FEF5D64000-memory.dmp
memory/2380-4-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp