Analysis Overview
SHA256
88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar payload
Quasar family
Executes dropped EXE
Drops file in System32 directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-18 21:57
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-18 21:57
Reported
2024-08-18 22:00
Platform
win7-20240729-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Windows | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
| File created | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f
C:\Windows\system32\Windows\Windows Host Process.exe
"C:\Windows\system32\Windows\Windows Host Process.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp |
Files
memory/3000-0-0x000007FEF5AB3000-0x000007FEF5AB4000-memory.dmp
memory/3000-1-0x0000000000DB0000-0x0000000001106000-memory.dmp
memory/3000-2-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
C:\Windows\System32\Windows\Windows Host Process.exe
| MD5 | 280cdb0f182b4fca9cd0fd87ab0f9551 |
| SHA1 | b7631a3d0bc305c70f1a0711ca0d3b03d82252ec |
| SHA256 | 88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896 |
| SHA512 | d35ec454f18987a700506e1585cfd313906a3e2ab868040b38bba3682ab61b78dc4eec224c23fb8309a8cbd6ae664299940ec8d00afbc0ffaf1a248230c1c8cd |
memory/2816-9-0x0000000001310000-0x0000000001666000-memory.dmp
memory/3000-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
memory/2816-10-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
memory/2816-11-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
memory/2816-12-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-18 21:57
Reported
2024-08-18 22:04
Platform
win10v2004-20240802-en
Max time kernel
444s
Max time network
448s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
| File opened for modification | C:\Windows\system32\Windows | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
| File created | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 376 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 376 wrote to memory of 2956 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 376 wrote to memory of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\Windows\Windows Host Process.exe |
| PID 376 wrote to memory of 2136 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\Windows\Windows Host Process.exe |
| PID 2136 wrote to memory of 3176 | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 2136 wrote to memory of 3176 | N/A | C:\Windows\system32\Windows\Windows Host Process.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f
C:\Windows\system32\Windows\Windows Host Process.exe
"C:\Windows\system32\Windows\Windows Host Process.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Windows Host Process" /sc ONLOGON /tr "C:\Windows\system32\Windows\Windows Host Process.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.58.20.217.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp | |
| US | 147.185.221.22:6712 | tcp |
Files
memory/376-0-0x00007FFA93AE3000-0x00007FFA93AE5000-memory.dmp
memory/376-1-0x0000000000190000-0x00000000004E6000-memory.dmp
memory/376-2-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp
C:\Windows\System32\Windows\Windows Host Process.exe
| MD5 | 280cdb0f182b4fca9cd0fd87ab0f9551 |
| SHA1 | b7631a3d0bc305c70f1a0711ca0d3b03d82252ec |
| SHA256 | 88641b449e8a26c6468058f54acf474225b571dab55a921caed63020390b6896 |
| SHA512 | d35ec454f18987a700506e1585cfd313906a3e2ab868040b38bba3682ab61b78dc4eec224c23fb8309a8cbd6ae664299940ec8d00afbc0ffaf1a248230c1c8cd |
memory/2136-10-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp
memory/376-9-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp
memory/2136-11-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp
memory/2136-12-0x000000001BBD0000-0x000000001BC20000-memory.dmp
memory/2136-13-0x000000001BCE0000-0x000000001BD92000-memory.dmp
memory/2136-14-0x00007FFA93AE0000-0x00007FFA945A1000-memory.dmp