Analysis
-
max time kernel
126s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
29/10/2024, 17:40
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
c65338d7d892863734f74ee949cb7a16
-
SHA1
50151ab64046e04bc2e8d58c7c3bff0991299e9b
-
SHA256
14cad65e79b0d7faf6829d7c30bf504ae66e4adc0a28981eb50e5d00465e0645
-
SHA512
c0fa19c86ecb29c62569b7681be92f75b3f6b85d41623b7e26ee6ebd26ce3c91f4dbdfdcc47a05c681e2f496d9b0644cd64b07fb2168b1b119b7d503c539f6d0
-
SSDEEP
49152:Svht62XlaSFNWPjljiFa2RoUYIV34abRDKLoGOZTHHB72eh2NT:SvL62XlaSFNWPjljiFXRoUYIV34K0
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.28:4782
03ef2b9a-5389-4312-b3d3-9b6f68cc5386
-
encryption_key
F8A900CD75D848E74023B3A66FA8AA5469C97692
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
.
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "." /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c65338d7d892863734f74ee949cb7a16
SHA150151ab64046e04bc2e8d58c7c3bff0991299e9b
SHA25614cad65e79b0d7faf6829d7c30bf504ae66e4adc0a28981eb50e5d00465e0645
SHA512c0fa19c86ecb29c62569b7681be92f75b3f6b85d41623b7e26ee6ebd26ce3c91f4dbdfdcc47a05c681e2f496d9b0644cd64b07fb2168b1b119b7d503c539f6d0
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB