Malware Analysis Report

2024-10-23 21:24

Sample ID 240801-sc15wswdnk
Target Client-built.exe
SHA256 2dbd31f6ed2f964d191b7077c2acecc931648cc2f1a2a43f57b0cbb35d1b72c7
Tags
quasar office04 discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dbd31f6ed2f964d191b7077c2acecc931648cc2f1a2a43f57b0cbb35d1b72c7

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 discovery spyware trojan

Quasar RAT

Quasar payload

Quasar family

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-01 14:59

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-01 14:59

Reported

2024-08-01 15:02

Platform

win10v2004-20240730-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2951562807-3718269429-4208157415-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 3132 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2680 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2680 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1hjgNavw45ZJ.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 195.88.218.76:4782 tcp
US 8.8.8.8:53 21.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 76.218.88.195.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

memory/3132-0-0x00007FFB904E3000-0x00007FFB904E5000-memory.dmp

memory/3132-1-0x0000000000FF0000-0x0000000001314000-memory.dmp

memory/3132-2-0x00007FFB904E0000-0x00007FFB90FA1000-memory.dmp

memory/3132-3-0x000000001CA20000-0x000000001CA70000-memory.dmp

memory/3132-4-0x000000001CB30000-0x000000001CBE2000-memory.dmp

memory/3132-5-0x000000001C9F0000-0x000000001CA02000-memory.dmp

memory/3132-6-0x000000001CAB0000-0x000000001CAEC000-memory.dmp

memory/3132-7-0x00007FFB904E3000-0x00007FFB904E5000-memory.dmp

memory/3132-8-0x00007FFB904E0000-0x00007FFB90FA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1hjgNavw45ZJ.bat

MD5 0eefeb9434c36f223b930bd6b88badbe
SHA1 7967bbc76298218580d7bff5bdebe67124006767
SHA256 2ddf665991f7f742384c54d79e525e7006e388328cbacb2dcbffb0d8f09ee5c0
SHA512 1cd6249d2785d56d4f62b3b8d8a7021bf2362e00df6019e95514660800c8979f5307b8b5a0a8444961b995325828aaea86a6ef435de5e0a77cc3746e215010de

memory/3132-14-0x00007FFB904E0000-0x00007FFB90FA1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-01 14:59

Reported

2024-08-01 15:02

Platform

win7-20240708-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Network

Country Destination Domain Proto
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp
NL 195.88.218.76:4782 tcp

Files

memory/2380-0-0x000007FEF5D63000-0x000007FEF5D64000-memory.dmp

memory/2380-1-0x0000000001110000-0x0000000001434000-memory.dmp

memory/2380-2-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp

memory/2380-3-0x000007FEF5D63000-0x000007FEF5D64000-memory.dmp

memory/2380-4-0x000007FEF5D60000-0x000007FEF674C000-memory.dmp