Analysis

  • max time kernel
    383s
  • max time network
    871s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    05-08-2024 08:06

General

  • Target

    skibidirat.exe

  • Size

    3.1MB

  • MD5

    797c5548befc52f7b0dbedc8e6172184

  • SHA1

    05e5fd623d589e9790e648348f05e317d926b8c4

  • SHA256

    62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260

  • SHA512

    2ed20953b97ae2a2dfad7735dcef327f69cd08e9d2acaefd7a23dec0890463dd5a97c5cb1fb54634a052613b55752fc3ce624939dd89ef85bcdae5d46a19e0b5

  • SSDEEP

    49152:xHobtR1o2PmNXo7WCr5Ft4Rw8FcXrYd+THHB72eh2NT:xHmRvmNXo7WCr5+w8A

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

147.185.221.18:42996

147.185.221.18:1770

Mutex

c2e1b18a-ce93-436d-ad8b-21bf89015e19

Attributes
  • encryption_key

    9E968F05BD874BA1BE086FD1774A027473823F49

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 9 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\skibidirat.exe
    "C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4604
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YR9i5XlPZll8.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:848
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5032
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x348
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\YR9i5XlPZll8.bat

      Filesize

      211B

      MD5

      deb5cff509a70397e291ad7588bda5fe

      SHA1

      d128225c0716c1d597d6c82979fcf47030a2c9f9

      SHA256

      3c2801cde3050ba20e697fa767df08c5e4fdd1d79479fc5ab18f9fe813ed31c8

      SHA512

      096d11e292c9a1474678f01e352d5e56fbfd1a62d967a2aa9b9dadcf43b7b16167cd9d10ed4a803c3b863d5d7133045dcd6cf6fa20ea07bcba728c33329e6902

    • memory/4604-0-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

      Filesize

      4KB

    • memory/4604-1-0x0000000000660000-0x0000000000984000-memory.dmp

      Filesize

      3.1MB

    • memory/4604-2-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/4604-3-0x000000001C020000-0x000000001C070000-memory.dmp

      Filesize

      320KB

    • memory/4604-4-0x000000001C130000-0x000000001C1E2000-memory.dmp

      Filesize

      712KB

    • memory/4604-7-0x000000001C070000-0x000000001C082000-memory.dmp

      Filesize

      72KB

    • memory/4604-8-0x000000001C0D0000-0x000000001C10E000-memory.dmp

      Filesize

      248KB

    • memory/4604-9-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

      Filesize

      4KB

    • memory/4604-10-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/4604-11-0x000000001CC20000-0x000000001CCCA000-memory.dmp

      Filesize

      680KB

    • memory/4604-22-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB