Analysis

  • max time kernel
    135s
  • max time network
    133s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/08/2024, 17:10

General

  • Target

    bad.exe

  • Size

    3.7MB

  • MD5

    8b88af81c33011a8f0fd7706034e0208

  • SHA1

    12505464442bd35acbb62bbcdb48fb031823ff01

  • SHA256

    2ab87351f388e10ff472ca538d58100cbeb401b7cde14f587ef53a9887154db7

  • SHA512

    a73e26aa9ada2653597965ece64ec5f0469b925d31df4cc0942fadacdd910d2d2e0bf4065cb82a65a07ec0e23ccc7360f0eecda76f1a5f6a4deda1b1b07521c5

  • SSDEEP

    24576:s01wsus40AuwA6/sykLsGaQW1A5Oax6X8D9GOrVjJjNWmFe+Txy7z96/AMfm4A:osPUkLsEW1A5bxV9DRPFesNA

Malware Config

Extracted

Family

quasar

Version

2.8.0.1

Botnet

Estocolmo

C2

142.4.197.81:5555

Mutex

8TII29t58WcKMPIhVq

Attributes
  • encryption_key

    ZQWZ9ZhoK5A8EFF0xXlY

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar payload 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bad.exe
    "C:\Users\Admin\AppData\Local\Temp\bad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\bad.exe
      "C:\Users\Admin\AppData\Local\Temp\bad.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1404-4-0x0000000005CF0000-0x0000000005CF8000-memory.dmp

    Filesize

    32KB

  • memory/1404-1-0x0000000000FF0000-0x00000000013A6000-memory.dmp

    Filesize

    3.7MB

  • memory/1404-2-0x0000000005C80000-0x0000000005C8C000-memory.dmp

    Filesize

    48KB

  • memory/1404-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

    Filesize

    4KB

  • memory/1404-3-0x0000000006310000-0x00000000068B4000-memory.dmp

    Filesize

    5.6MB

  • memory/1404-13-0x00000000746A0000-0x0000000074E50000-memory.dmp

    Filesize

    7.7MB

  • memory/1404-11-0x00000000746A0000-0x0000000074E50000-memory.dmp

    Filesize

    7.7MB

  • memory/3960-8-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/3960-14-0x0000000005970000-0x0000000005A02000-memory.dmp

    Filesize

    584KB

  • memory/3960-7-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/3960-5-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/3960-6-0x0000000000400000-0x00000000004EC000-memory.dmp

    Filesize

    944KB

  • memory/3960-12-0x00000000746A0000-0x0000000074E50000-memory.dmp

    Filesize

    7.7MB

  • memory/3960-15-0x00000000746A0000-0x0000000074E50000-memory.dmp

    Filesize

    7.7MB

  • memory/3960-16-0x0000000005A10000-0x0000000005A76000-memory.dmp

    Filesize

    408KB

  • memory/3960-17-0x0000000006630000-0x0000000006642000-memory.dmp

    Filesize

    72KB

  • memory/3960-18-0x0000000006CB0000-0x0000000006CEC000-memory.dmp

    Filesize

    240KB

  • memory/3960-19-0x00000000073F0000-0x00000000073FA000-memory.dmp

    Filesize

    40KB

  • memory/3960-20-0x00000000746A0000-0x0000000074E50000-memory.dmp

    Filesize

    7.7MB