Analysis

  • max time kernel
    13s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19/08/2024, 17:10

General

  • Target

    bad.exe

  • Size

    3.7MB

  • MD5

    8b88af81c33011a8f0fd7706034e0208

  • SHA1

    12505464442bd35acbb62bbcdb48fb031823ff01

  • SHA256

    2ab87351f388e10ff472ca538d58100cbeb401b7cde14f587ef53a9887154db7

  • SHA512

    a73e26aa9ada2653597965ece64ec5f0469b925d31df4cc0942fadacdd910d2d2e0bf4065cb82a65a07ec0e23ccc7360f0eecda76f1a5f6a4deda1b1b07521c5

  • SSDEEP

    24576:s01wsus40AuwA6/sykLsGaQW1A5Oax6X8D9GOrVjJjNWmFe+Txy7z96/AMfm4A:osPUkLsEW1A5bxV9DRPFesNA

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Estocolmo

C2

142.4.197.81:5555

Mutex

8TII29t58WcKMPIhVq

Attributes
  • encryption_key

    ZQWZ9ZhoK5A8EFF0xXlY

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bad.exe
    "C:\Users\Admin\AppData\Local\Temp\bad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\bad.exe
      "C:\Users\Admin\AppData\Local\Temp\bad.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2112-11-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

  • memory/2112-1-0x0000000001230000-0x00000000015E6000-memory.dmp

    Filesize

    3.7MB

  • memory/2112-2-0x0000000000200000-0x000000000020C000-memory.dmp

    Filesize

    48KB

  • memory/2112-3-0x0000000000250000-0x0000000000258000-memory.dmp

    Filesize

    32KB

  • memory/2112-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

    Filesize

    4KB

  • memory/2112-13-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

  • memory/2720-4-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/2720-9-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/2720-6-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/2720-5-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/2720-10-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/2720-12-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

  • memory/2720-7-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/2720-14-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

  • memory/2720-15-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB

  • memory/2720-16-0x00000000749A0000-0x000000007508E000-memory.dmp

    Filesize

    6.9MB