Malware Analysis Report

2024-10-23 21:24

Sample ID 240805-jzq4rs1blm
Target skibidirat.exe
SHA256 62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260
Tags
office04 quasar credential_access discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62e9fdaaf90da01ef28a26823e3442d73b93dc0e23d93139df631701cf6da260

Threat Level: Known bad

The file skibidirat.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar credential_access discovery spyware stealer trojan

Quasar payload

Quasar RAT

Quasar family

Credentials from Password Stores: Credentials from Web Browsers

Reads WinSCP keys stored on the system

Reads user/profile data of web browsers

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-05 08:06

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-05 08:06

Reported

2024-08-05 08:24

Platform

win10-20240611-en

Max time kernel

383s

Max time network

871s

Command Line

"C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\skibidirat.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\skibidirat.exe C:\Windows\system32\cmd.exe
PID 4604 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\skibidirat.exe C:\Windows\system32\cmd.exe
PID 2148 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2148 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2148 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 2148 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\skibidirat.exe

"C:\Users\Admin\AppData\Local\Temp\skibidirat.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x348

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YR9i5XlPZll8.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 147.185.221.18:42996 tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 147.185.221.18:1770 tcp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp
US 147.185.221.18:42996 tcp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 147.185.221.18:1770 tcp
US 147.185.221.18:42996 tcp
US 147.185.221.18:1770 tcp
US 147.185.221.18:42996 tcp

Files

memory/4604-0-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

memory/4604-1-0x0000000000660000-0x0000000000984000-memory.dmp

memory/4604-2-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4604-3-0x000000001C020000-0x000000001C070000-memory.dmp

memory/4604-4-0x000000001C130000-0x000000001C1E2000-memory.dmp

memory/4604-7-0x000000001C070000-0x000000001C082000-memory.dmp

memory/4604-8-0x000000001C0D0000-0x000000001C10E000-memory.dmp

memory/4604-9-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

memory/4604-10-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

memory/4604-11-0x000000001CC20000-0x000000001CCCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\YR9i5XlPZll8.bat

MD5 deb5cff509a70397e291ad7588bda5fe
SHA1 d128225c0716c1d597d6c82979fcf47030a2c9f9
SHA256 3c2801cde3050ba20e697fa767df08c5e4fdd1d79479fc5ab18f9fe813ed31c8
SHA512 096d11e292c9a1474678f01e352d5e56fbfd1a62d967a2aa9b9dadcf43b7b16167cd9d10ed4a803c3b863d5d7133045dcd6cf6fa20ea07bcba728c33329e6902

memory/4604-22-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp