Overview

overview

10

Static

static

3

64f51e7b13...af.exe

windows7-x64

10

64f51e7b13...af.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    06/08/2024, 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64f51e7b139ab5cf5829321a7ea0e7cc8aad04f1ec1d872345ee029e679dd2af.exe

  • Size

    1.5MB

  • MD5

    be87988d10070a2a95aa02f5cdab0aab

  • SHA1

    b62fe5009101940ed28cc1167b2baeb418938cc6

  • SHA256

    64f51e7b139ab5cf5829321a7ea0e7cc8aad04f1ec1d872345ee029e679dd2af

  • SHA512

    ecadcc7e03b973d79265ddbe7165ed205ef18494924645b5c995bfba45aebc1196790d8831d856142b00841128ad3e7bc63a52290b57d50db6d4fd0960298018

  • SSDEEP

    49152:UbA30vMJT4D/NPNOUY389Nv7Meox7eQeblMR:UbqTwRkUYIvloxCQulMR

Score
10/10
quasartrumpusdiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

TrumpUS

C2

namz.read-books.org:1337

Mutex

06f1c124-2f86-4205-a4b8-825abb0ee5d0

Attributes
  • encryption_key

    EE5F2943516BF23B75353DDAA9266AAFF982D3E6

  • install_name

    WindowsUpdate.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    DqdCQdqc

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\64f51e7b139ab5cf5829321a7ea0e7cc8aad04f1ec1d872345ee029e679dd2af.exe
    "C:\Users\Admin\AppData\Local\Temp\64f51e7b139ab5cf5829321a7ea0e7cc8aad04f1ec1d872345ee029e679dd2af.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\start.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Roaming\Client-built2.sfx.exe
        "C:\Users\Admin\AppData\Roaming\Client-built2.sfx.exe" -p1337guy$$$
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Users\Admin\AppData\Roaming\Client-built.exe
          "C:\Users\Admin\AppData\Roaming\Client-built.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2852
          • C:\Windows\system32\schtasks.exe
            "schtasks" /create /tn "DqdCQdqc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:2580
          • C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1196
            • C:\Windows\system32\schtasks.exe
              "schtasks" /create /tn "DqdCQdqc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\WindowsUpdate.exe" /rl HIGHEST /f
              6⤵
              • Scheduled Task/Job: Scheduled Task
              PID:856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Client-built2.sfx.exe
    Filesize

    1.3MB

    MD5

    34ce1530d7c6221627ba23c7aca03435

    SHA1

    fdf5df26664554bbeec2b9b40d9b9b6c4dc355db

    SHA256

    f961026fd90ab67d1db933b03eb4cf87e4c9f57b39c2001e81fb87193124be37

    SHA512

    13172b88c909ab1e0f5c938056f0b138cbaed24985b9c92d3a919ec3028d4440253f2872f3b96559b4cff6d10cfae101ef08da94254f223714165e2cb22aa229

    Download Submit

  • C:\Users\Admin\AppData\Roaming\start.vbs
    Filesize

    776B

    MD5

    9c9c5ace80e216ae113c55a317414edd

    SHA1

    60055c589956645b64b824c9114145adc75fef1e

    SHA256

    fd1b2b6c0bab3487bdaec3fdc72775823f0d0240f336a8ba07e9550d8b06d8a5

    SHA512

    fec010d313b3cdec7d09e397bebe529a9000e2968e7ddb7e21b743a5f8e272e50fb2060d81f6ceaeb9a944811f04c1839cccf5d2741d37f56c2501744109f6b0

    Download Submit

  • \Users\Admin\AppData\Roaming\Client-built.exe
    Filesize

    3.1MB

    MD5

    63d4d473f7eefb64274601a1564f348c

    SHA1

    1178086b2041b0110dc15b2955c81f96d0e504be

    SHA256

    51be0be756a2a590efde88e27908dfe128a85f5b3b321b379016d02f6e194e48

    SHA512

    ac9086ac8e0fe771c4696f536cea77f925e190b13151ade806f8eabb0e63c0dbf6e174a7cafd065c6c6e02355d1e0c208e1342aee686a72b9e904b1ef94e3b24

    Download Submit

  • memory/1196-31-0x00000000013B0000-0x00000000016D4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2852-25-0x0000000000850000-0x0000000000B74000-memory.dmp

    Filesize

    3.1MB

    Download