Overview

overview

10

Static

static

10

RD_VSetup1.41.exe

windows7-x64

10

RD_VSetup1.41.exe

windows10-2004-x64

10

Resubmissions

09-08-2024 16:12

240809-tnprnswfph 10

09-08-2024 16:06

240809-tkk93sseql 10

Analysis

  • max time kernel
    210s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RD_VSetup1.41.exe

  • Size

    3.3MB

  • MD5

    094452bdd14c5acce6a8e5cb16f39fac

  • SHA1

    f7c55189d66bb0722bc00af7b400d66b6caa8779

  • SHA256

    eea939e6d9dae292703d7d5b634938cfe4a00db8115daf9c3c4148afd8895eef

  • SHA512

    4dde7c1083b658b943cbb50e95c6fd8fe547512eb11cdfd1f1d0fe9f1552b968f6cbf30fbfb8829cba65e00504abe63c39c0c9680cd8d0c945c56e1fe8a96d67

  • SSDEEP

    49152:fvLI22SsaNYfdPBldt698dBcjH20ymSmzDwoGdeBTHHB72eh2NTc:fv022SsaNYfdPBldt6+dBcjH/ym8+

Score
10/10
quasarremixthattingspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

RemixThatTing

C2

192.168.1.1:4782

Mutex

2853cd92-f829-4151-a3ab-a32a77b6bfd1

Attributes
  • encryption_key

    1C048FBC4D2C47C8039B5C30AAA4E3E12C03AE02

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java Updater v.1.4.1

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RD_VSetup1.41.exe
    "C:\Users\Admin\AppData\Local\Temp\RD_VSetup1.41.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Java Updater v.1.4.1" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3052
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:2976
  • C:\Users\Admin\AppData\Local\Temp\RD_VSetup1.41.exe
    "C:\Users\Admin\AppData\Local\Temp\RD_VSetup1.41.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2728

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1848-0-0x000007FEF4BD3000-0x000007FEF4BD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1848-1-0x0000000000070000-0x00000000003C2000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1848-2-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1848-6-0x000007FEF4BD3000-0x000007FEF4BD4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1848-7-0x000007FEF4BD0000-0x000007FEF55BC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2976-3-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2976-4-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download

  • memory/2976-5-0x0000000001C90000-0x0000000001CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2976-8-0x0000000140000000-0x00000001405E8000-memory.dmp

    Filesize

    5.9MB

    Download