Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
31/10/2024, 00:33
General
-
Target
6c05bdd9bfaaab482d1261c53bd31ec000b9c6a401e8a9f40684217d4c3805cd.exe
-
Size
3.1MB
-
MD5
8e2f41a8da48ee3bb6d533d7de12d621
-
SHA1
4b4f1bbfc8e8570668b55f1157791879fc272a6b
-
SHA256
6c05bdd9bfaaab482d1261c53bd31ec000b9c6a401e8a9f40684217d4c3805cd
-
SHA512
fb78fabf6e4b4e52b375f63b687ea6758efa05a7a1b67c2df5c18cdbb9382bb34f768d340cb8386432a8b52fc7893d807409dd4857c3f46cdec54bc5745224d0
-
SSDEEP
49152:CvyI22SsaNYfdPBldt698dBcjHmIxNESEHk/inLoGdxTHHB72eh2NT:Cvf22SsaNYfdPBldt6+dBcjHdxWL
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.116:4782
7bcc4347-f38d-44cb-b66e-2a087c7e915f
-
encryption_key
84ADCD6EA0C9BEC44FAF54AEA226EC9015B89296
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Windows Services
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c05bdd9bfaaab482d1261c53bd31ec000b9c6a401e8a9f40684217d4c3805cd.exe"C:\Users\Admin\AppData\Local\Temp\6c05bdd9bfaaab482d1261c53bd31ec000b9c6a401e8a9f40684217d4c3805cd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Services" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Windows Services" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58e2f41a8da48ee3bb6d533d7de12d621
SHA14b4f1bbfc8e8570668b55f1157791879fc272a6b
SHA2566c05bdd9bfaaab482d1261c53bd31ec000b9c6a401e8a9f40684217d4c3805cd
SHA512fb78fabf6e4b4e52b375f63b687ea6758efa05a7a1b67c2df5c18cdbb9382bb34f768d340cb8386432a8b52fc7893d807409dd4857c3f46cdec54bc5745224d0
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB