Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
20-10-2024 17:33
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
e35d832888fda0fd705386a4b94ecc49
-
SHA1
86380c3eea496c7947c25c547748cfeed51c4de9
-
SHA256
aa3170ce6b4bbd9960ac0ccd60f7d0b39cc0d28254bfe73545b540cbd8444b21
-
SHA512
60d6aec705948474fa007dad26fdba9b92dcb1098aefb4eed2898af7b048729e4a3ee5af7e7b9ca9e555b97b54f6d97007dfc1531d0abb9e5da01b5911c5fd63
-
SSDEEP
49152:Av4lL26AaNeWgPhlmVqvMQ7XSKNEREuY4oGdPwTHHB72eh2NT:AvQL26AaNeWgPhlmVqkQ7XSKmREuT
Malware Config
Extracted
quasar
1.4.1
Office04
HomoThugger-36407.portmap.host:36407
42d6f4c0-e8fc-473a-b92d-ded3fb29334a
-
encryption_key
3CDA48FEB25557C87485A9F37CDC861398BEA3C7
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Runs ping.exe 1 TTPs 10 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 10 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs