Overview

overview

10

Static

static

10

$77-Client.exe

windows10-1703-x64

10

$77-Client.exe

windows10-2004-x64

10

$77-Client.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    184s
  • max time network
    206s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/08/2024, 21:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $77-Client.exe

  • Size

    3.1MB

  • MD5

    acc9e9d547efe13b2b0be13cb14aa721

  • SHA1

    0a859b612ab726e7de353fe25ea862b38d23401f

  • SHA256

    719a7b316bfd202755b62a1a832ec1ef53a731dfa7e046d0cc92a797e414450f

  • SHA512

    e2225f526057068e6eb2c284c9e4429fd819923e52f9f8275a743feb5bb9c8519287cd3ce698761b717df6e3c870b21ff2a1eb2a61e29438d3d6f55e14588084

  • SSDEEP

    49152:2vBt62XlaSFNWPjljiFa2RoUYI8ZCq1J0LoGd+1THHB72eh2NT:2vr62XlaSFNWPjljiFXRoUYIiCn

Score
10/10
quasarslavediscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

C2

147.185.221.20:49485

Mutex

725e8cd4-7df0-4c5f-8cad-7f42a47ec93d

Attributes
  • encryption_key

    8A741B205625DDE1631E142A4F37B4EFE8EC3980

  • install_name

    $77-Client.exe

  • log_directory

    $77-Logs

  • reconnect_delay

    3000

  • startup_key

    $77-Client

  • subdirectory

    $77-SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\$77-Client.exe
    "C:\Users\Admin\AppData\Local\Temp\$77-Client.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "$77-Client" /sc ONLOGON /tr "C:\Windows\system32\$77-SubDir\$77-Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4976
    • C:\Windows\system32\$77-SubDir\$77-Client.exe
      "C:\Windows\system32\$77-SubDir\$77-Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "$77-Client" /sc ONLOGON /tr "C:\Windows\system32\$77-SubDir\$77-Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4748
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /delete /tn "$77-Client" /f
        3⤵
          PID:1576
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3jh2KoXIwRrR.bat" "
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1900
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:3132
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2412

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-Client.exe.log
        Filesize

        1KB

        MD5

        b4e91d2e5f40d5e2586a86cf3bb4df24

        SHA1

        31920b3a41aa4400d4a0230a7622848789b38672

        SHA256

        5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

        SHA512

        968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\3jh2KoXIwRrR.bat
        Filesize

        208B

        MD5

        5f8e9d7ec53a595bdc98b78c1abbd0f5

        SHA1

        a620ef709271d86b04db3ad8692c3a6009f5750b

        SHA256

        cdb56bdb8c17b167371a4fe4c2b3eedd8e9f750b919950a89c7a19bafc9716c9

        SHA512

        250ae3b4f9a6c298570d18fd867c4c416e78f8a0f5c5938a48018c58c07cf5b56b679e2640e66bd7dcc874f1d422bf385e1b26b0afa5fc30615602d7b1310132

        Download Submit

      • C:\Windows\System32\$77-SubDir\$77-Client.exe
        Filesize

        3.1MB

        MD5

        acc9e9d547efe13b2b0be13cb14aa721

        SHA1

        0a859b612ab726e7de353fe25ea862b38d23401f

        SHA256

        719a7b316bfd202755b62a1a832ec1ef53a731dfa7e046d0cc92a797e414450f

        SHA512

        e2225f526057068e6eb2c284c9e4429fd819923e52f9f8275a743feb5bb9c8519287cd3ce698761b717df6e3c870b21ff2a1eb2a61e29438d3d6f55e14588084

        Download Submit

      • memory/4360-11-0x00007FFCD6030000-0x00007FFCD6AF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4360-12-0x00007FFCD6030000-0x00007FFCD6AF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4360-13-0x000000001C100000-0x000000001C150000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4360-14-0x000000001C210000-0x000000001C2C2000-memory.dmp

        Filesize

        712KB

        Download

      • memory/4360-17-0x000000001C1B0000-0x000000001C1C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4360-18-0x000000001CD20000-0x000000001CD5C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4360-19-0x00007FFCD6030000-0x00007FFCD6AF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4360-24-0x00007FFCD6030000-0x00007FFCD6AF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4792-10-0x00007FFCD6030000-0x00007FFCD6AF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4792-2-0x00007FFCD6030000-0x00007FFCD6AF2000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4792-0-0x00007FFCD6033000-0x00007FFCD6035000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4792-1-0x00000000003E0000-0x0000000000704000-memory.dmp

        Filesize

        3.1MB

        Download