Analysis Overview
SHA256
4fa37e700c2b9ee257995cc82ad1f02b02bf5b031a5fda15ff34277c82239d8a
Threat Level: Known bad
The file Spoofers.7z was found to be: Known bad.
Malicious Activity Summary
Quasar family
Deletes Windows Defender Definitions
Blankgrabber family
A stealer written in Python and packaged with Pyinstaller
Quasar RAT
Quasar payload
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Enumerates processes with tasklist
UPX packed file
Unsigned PE
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 00:08
Signatures
A stealer written in Python and packaged with Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blankgrabber family
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 00:08
Reported
2024-10-30 00:27
Platform
win10ltsc2021-20241023-en
Max time kernel
425s
Max time network
429s
Command Line
Signatures
Deletes Windows Defender Definitions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Windows Defender\MpCmdRun.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofers\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofers\Cleaner.exe"
C:\Users\Admin\AppData\Local\Temp\Spoofers\Cleaner.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofers\Cleaner.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofers\Cleaner.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('successfully cleaned', 0, 'cleaner', 48+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('successfully cleaned', 0, 'cleaner', 48+16);close()"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Spoofers\Cleaner.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-hm8hk.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.103.156.88:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI38282\python312.dll
| MD5 | eb02b8268d6ea28db0ea71bfe24b15d6 |
| SHA1 | 86f723fcc4583d7d2bd59ca2749d4b3952cd65a5 |
| SHA256 | 80222651a93099a906be55044024d32e93b841c83554359d6e605d50d11e2e70 |
| SHA512 | 693bbc3c896ad3c6044c832597f946c778e6c6192def3d662803e330209ec1c68d8d33bd82978279ae66b264a892a366183dcef9a3a777e0a6ee450a928268e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/652-25-0x00007FFA718C0000-0x00007FFA71F85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38282\base_library.zip
| MD5 | 242a4d3404414a9e8ed1ca1a72e8039c |
| SHA1 | b1fd68d13cc6d5b97dc3ea8e2be1144ea2c3ed50 |
| SHA256 | cb98f93ede1f6825699ef6e5f11a65b00cdbc9fdfb34f7209b529a6e43e0402d |
| SHA512 | cca8e18cc41300e204aee9e44d68ffe9808679b7dbf3bec9b3885257cadccff1df22a3519cc8db3b3c557653c98bac693bf89a1e6314ef0e0663c76be2bf8626 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_ctypes.pyd
| MD5 | fa360b7044312e7404704e1a485876d2 |
| SHA1 | 6ea4aad0692c016c6b2284db77d54d6d1fc63490 |
| SHA256 | f06c3491438f6685938789c319731ddf64ba1da02cd71f43ab8829af0e3f4e2f |
| SHA512 | db853c338625f3e04b01b049b0cb22bdaed4e785eb43696aeda71b558f0f58113446a96a3e5356607335435ee8c78069ce8c1bcdb580d00fd4baacbec97a4b6a |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/652-30-0x00007FFA87E70000-0x00007FFA87E95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_socket.pyd
| MD5 | da0dc29c413dfb5646d3d0818d875571 |
| SHA1 | adcd7ecd1581bcd0da48bd7a34feccada0b015d6 |
| SHA256 | c3365ad1fee140b4246f06de805422762358a782757b308f796e302fe0f5aaf8 |
| SHA512 | 17a0c09e2e18a984fd8fc4861397a5bd4692bcd3b66679255d74bb200ee9258fb4677b36d1eaa4bd650d84e54d18b8d95a05b34d0484bd9d8a2b6ab36ffffcdb |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_ssl.pyd
| MD5 | e33bf2bc6c19bf37c3cc8bac6843d886 |
| SHA1 | 6701a61d74f50213b141861cfd169452dde22655 |
| SHA256 | e3532d3f8c5e54371f827b9e6d0fee175ad0b2b17e25c26fdfb4efd5126b7288 |
| SHA512 | 3526bcb97ad34f2e0c6894ee4cd6a945116f8af5c20c5807b9be877eb6ea9f20e571610d30d3e3b7391b23ddcd407912232796794277a3c4545cbcb2c5f8ed6f |
memory/652-48-0x00007FFA87E60000-0x00007FFA87E6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_sqlite3.pyd
| MD5 | 5f31f58583d2d1f7cb54db8c777d2b1e |
| SHA1 | 494587d2b9e993f2e5398d1c745732ef950e43b6 |
| SHA256 | fad9ffcd3002cec44c3da9d7d48ce890d6697c0384b4c7dacab032b42a5ac186 |
| SHA512 | 8a4ec67d7ad552e8adea629151665f6832fc77c5d224e0eefe90e3aec62364a7c3d7d379a6d7b91de0f9e48af14f166e3b156b4994afe7879328e0796201c8ea |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_queue.pyd
| MD5 | 326e66d3cf98d0fa1db2e4c9f1d73e31 |
| SHA1 | 6ace1304d4cb62d107333c3274e6246136ab2305 |
| SHA256 | bf6a8c5872d995edab5918491fa8721e7d1b730f66c8404ee760c1e30cb1f40e |
| SHA512 | d7740693182040d469e93962792b3e706730c2f529ab39f7d9d7adab2e3805bb35d65dc8bb2bd264da9d946f08d9c8a563342d5cb5774d73709ae4c8a3de621c |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_lzma.pyd
| MD5 | bad668bbf4f0d15429f66865af4c117b |
| SHA1 | 2a85c44d2e6aa09ce6c11f2d548b068c20b7b7f8 |
| SHA256 | 45b1fcdf4f3f97f9881aaa98b00046c4045b897f4095462c0bc4631dbadac486 |
| SHA512 | 798470b87f5a91b9345092593fc40c08ab36f1684eee77654d4058b37b62b40ec0deb4ac36d9be3bb7f69adfdf207bf150820cdbc27f98b0fa718ec394da7c51 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_hashlib.pyd
| MD5 | 3a4a3a99a4a4adaf60b9faaf6a3edbda |
| SHA1 | a55ea560accd3b11700e2e2600dc1c6e08341e2f |
| SHA256 | 26eed7aac1c142a83a236c5b35523a0922f14d643f6025dc3886398126dae492 |
| SHA512 | cb7d298e5e55d2bf999160891d6239afdc15ada83cd90a54fda6060c91a4e402909a4623dcaa9a87990f2af84d6eb8a51e919c45060c5e90511cd4aadb1cdb36 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\select.pyd
| MD5 | 33722c8cd45091d31aef81d8a1b72fa8 |
| SHA1 | e9043d440235d244ff9934e9694c5550cae2d5ab |
| SHA256 | 366fca0b27a34835129086c8cde1e75c309849e37091db4adeda1be508f2ee12 |
| SHA512 | 74217abec2727baaa5138e1b1c4bac7d0ca574cf5a377396fc1ca0d3c07beb8aaa374e8060d2b5f707426312c11e0a34527ee0190e979e996f3b822efa24852f |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\libssl-3.dll
| MD5 | 264be59ff04e5dcd1d020f16aab3c8cb |
| SHA1 | 2d7e186c688b34fdb4c85a3fce0beff39b15d50e |
| SHA256 | 358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d |
| SHA512 | 9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\libcrypto-3.dll
| MD5 | 7f1b899d2015164ab951d04ebb91e9ac |
| SHA1 | 1223986c8a1cbb57ef1725175986e15018cc9eab |
| SHA256 | 41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986 |
| SHA512 | ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\blank.aes
| MD5 | febe7f583d8a00d10d03b7eeabeb0f89 |
| SHA1 | 0462c069249240aea09799f0b5306b9cecdb11e0 |
| SHA256 | 4cc9dbca92848a67b0d4cb0b7f7a97b7176bc364fc44470700eff40f499a2d6a |
| SHA512 | 46debbd4f755456f23f9cd1b3bf02a67395b02f488b18e863171d5c85218f11fa8960e05974c6956230d924bd722d4173121815b5a654fcf7ffd00e764c8b57b |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_decimal.pyd
| MD5 | b7012443c9c31ffd3aed70fe89aa82a0 |
| SHA1 | 420511f6515139da1610de088eaaaf39b8aad987 |
| SHA256 | 3b92d5ca6268a5ad0e92e5e403c621c56b17933def9d8c31e69ab520c30930d9 |
| SHA512 | ec422b0bee30fd0675d38888f056c50ca6955788d89c2a6448ddc30539656995627cf548e1b3aa2c4a77f2349b297c466af8942f8133ef4e2dfb706c8c1785e9 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\_bz2.pyd
| MD5 | 82e4f19c1e53ee3e46913d4df0550af7 |
| SHA1 | 283741406ecf64ab64df1d6d46558edd1abe2b03 |
| SHA256 | 78208da0890aafc68999c94ac52f1d5383ea75364eaf1a006d8b623abe0a6bf0 |
| SHA512 | 3fd8377d5f365499944a336819684e858534c8a23b8b24882f441318ec305e444e09125a0c0aedc10e31dbf94db60b8e796b03b9e36adbad37ab19c7724f36ee |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\unicodedata.pyd
| MD5 | 6dd43e115402d9e1c7cd6f21d47cfcf5 |
| SHA1 | c7fb8f33f25b0b75fc05ef0785622aa4ec09503c |
| SHA256 | 2a00f41bbc3680807042fc258f63519105220053fb2773e7d35480515fad9233 |
| SHA512 | 72e266eb1ce5cbbcfd1d2a6f864538efd80b3ed844e003e2bd9566708fee0919447290a3b559ea27c32794f97a629a8fe8fc879654ffa609fca5c053dac70c69 |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\sqlite3.dll
| MD5 | 68b435a35f9dcbc10b3cd4b30977b0bd |
| SHA1 | 9726ef574ca9bda8ec9ab85a5b97adcdf148a41f |
| SHA256 | 240d6d3efac25af08fe41a60e181f8fdcb6f95da53b3fad54b0f96680e7a8277 |
| SHA512 | 8e133b72bd3776f961258793c2b82d2cd536c7ae0ed0241daa2f67d90a6968f563b72f74a1c33d9bdfb821b796612faa7a73a712369ff3b36d968e57bfcdd793 |
memory/652-54-0x00007FFA80440000-0x00007FFA8046D000-memory.dmp
memory/652-56-0x00007FFA80120000-0x00007FFA8013A000-memory.dmp
memory/652-58-0x00007FFA7FF10000-0x00007FFA7FF34000-memory.dmp
memory/652-60-0x00007FFA7F6D0000-0x00007FFA7F84F000-memory.dmp
memory/652-62-0x00007FFA80C70000-0x00007FFA80C89000-memory.dmp
memory/652-64-0x00007FFA85700000-0x00007FFA8570D000-memory.dmp
memory/652-66-0x00007FFA7FD70000-0x00007FFA7FDA3000-memory.dmp
memory/652-71-0x00007FFA7F950000-0x00007FFA7FA1D000-memory.dmp
memory/652-70-0x00007FFA718C0000-0x00007FFA71F85000-memory.dmp
memory/652-72-0x0000018442960000-0x0000018442E89000-memory.dmp
memory/652-74-0x00007FFA87E70000-0x00007FFA87E95000-memory.dmp
memory/652-73-0x00007FFA71170000-0x00007FFA71699000-memory.dmp
memory/652-76-0x00007FFA80C50000-0x00007FFA80C64000-memory.dmp
memory/652-79-0x00007FFA84140000-0x00007FFA8414D000-memory.dmp
memory/652-78-0x00007FFA80440000-0x00007FFA8046D000-memory.dmp
memory/652-82-0x00007FFA7F5B0000-0x00007FFA7F6CA000-memory.dmp
memory/652-81-0x00007FFA80120000-0x00007FFA8013A000-memory.dmp
memory/4204-84-0x000002C6376C0000-0x000002C6376E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dygebjw5.ybn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/652-103-0x00007FFA7FF10000-0x00007FFA7FF34000-memory.dmp
memory/652-117-0x00007FFA84140000-0x00007FFA8414D000-memory.dmp
memory/652-114-0x00007FFA7F950000-0x00007FFA7FA1D000-memory.dmp
memory/652-128-0x00007FFA7FD70000-0x00007FFA7FDA3000-memory.dmp
memory/652-127-0x00007FFA85700000-0x00007FFA8570D000-memory.dmp
memory/652-126-0x00007FFA80C70000-0x00007FFA80C89000-memory.dmp
memory/652-125-0x00007FFA7F6D0000-0x00007FFA7F84F000-memory.dmp
memory/652-124-0x00007FFA7FF10000-0x00007FFA7FF34000-memory.dmp
memory/652-123-0x00007FFA80120000-0x00007FFA8013A000-memory.dmp
memory/652-122-0x00007FFA80440000-0x00007FFA8046D000-memory.dmp
memory/652-121-0x00007FFA87E60000-0x00007FFA87E6F000-memory.dmp
memory/652-120-0x00007FFA87E70000-0x00007FFA87E95000-memory.dmp
memory/652-119-0x00007FFA71170000-0x00007FFA71699000-memory.dmp
memory/652-118-0x00007FFA7F5B0000-0x00007FFA7F6CA000-memory.dmp
memory/652-116-0x00007FFA80C50000-0x00007FFA80C64000-memory.dmp
memory/652-104-0x00007FFA718C0000-0x00007FFA71F85000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 3eb3833f769dd890afc295b977eab4b4 |
| SHA1 | e857649b037939602c72ad003e5d3698695f436f |
| SHA256 | c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485 |
| SHA512 | c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f0f59cccd39a3694e0e6dfd44d0fa76d |
| SHA1 | fccd7911d463041e1168431df8823e4c4ea387c1 |
| SHA256 | 70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401 |
| SHA512 | 5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee |
C:\Users\Admin\AppData\Local\Temp\_MEI38282\blank.aes
| MD5 | a9a06416d9ef35cdabd07f724e9fc398 |
| SHA1 | ee2154a0f608f9a748f6ed476a05815b02e5d633 |
| SHA256 | 18eebece903d437c60e7515a52e50e98baf7c42ae8a14a958f1edeaa7ac015f0 |
| SHA512 | a45b5bab4e4486f82705109fbb607c906ea51b3b1ece8f5dcf560828dbb2f5b1ef2ad5febb55c5428c81e830b434b0a9e197f0f41f401de512cc91f1511673a7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 00:08
Reported
2024-10-30 00:27
Platform
win10ltsc2021-20241023-en
Max time kernel
594s
Max time network
601s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3256 wrote to memory of 240 | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3256 wrote to memory of 240 | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 3256 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 3256 wrote to memory of 220 | N/A | C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 220 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 220 wrote to memory of 1692 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Spoofers\PermWoofer.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ahhaa" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "ahhaa" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| FR | 20.74.19.45:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp | |
| N/A | 192.168.1.28:4782 | tcp |
Files
memory/3256-0-0x00007FFBE7BE3000-0x00007FFBE7BE5000-memory.dmp
memory/3256-1-0x0000000000390000-0x00000000006B4000-memory.dmp
memory/3256-2-0x00007FFBE7BE0000-0x00007FFBE86A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | b4ac68d3c6cc89ae97e519b9a7241bba |
| SHA1 | ced8a4dec2238bc5f2b7ca9ef9fdac0a6cd9108f |
| SHA256 | 03bc2c340a1081e1521a5c4b92c38756f4de234ac1b1a578556d83737972e343 |
| SHA512 | 8870741c08574945ea43055e6031394af96290348e4e55d3570f937020c49020fc7d61517d9ab9dd42fc65066ba113cb8a31f2d45cff7f7301f8e865d52aa1d5 |
memory/3256-5-0x00007FFBE7BE0000-0x00007FFBE86A2000-memory.dmp
memory/220-6-0x00007FFBE7BE0000-0x00007FFBE86A2000-memory.dmp
memory/220-7-0x00007FFBE7BE0000-0x00007FFBE86A2000-memory.dmp
memory/220-8-0x000000001E310000-0x000000001E360000-memory.dmp
memory/220-9-0x000000001E420000-0x000000001E4D2000-memory.dmp
memory/220-10-0x00007FFBE7BE0000-0x00007FFBE86A2000-memory.dmp