Analysis Overview
SHA256
92e22f42d2a793656eef26bdcc3804da16f0c9d75e32813200bda77b88327a1a
Threat Level: Known bad
The file 2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Executes dropped EXE
Drops startup file
Loads dropped DLL
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-01 01:38
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-01 01:38
Reported
2024-11-01 01:40
Platform
win7-20240708-en
Max time kernel
150s
Max time network
135s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\sign.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mx5.deitie.asia | udp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | tcp |
Files
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
| MD5 | 7498d554976744dfbd271ba755c6c192 |
| SHA1 | ec733d01e776518e387d2f51d1a6559b81f03b1e |
| SHA256 | 44089202623b9671051aa5bba5e72f81f68ce818c3054dde57726aaa6dcb9ff7 |
| SHA512 | d4e987d0e6235001fac4ae3a634e8fe98c6830e26a6a6876fbc36262842688d3ec301cff75003d2af695cdfd357ac50919946695b7d5d3293ebcba97153e1030 |
memory/2624-5-0x000007FEF50B3000-0x000007FEF50B4000-memory.dmp
memory/2624-6-0x0000000001290000-0x00000000015B4000-memory.dmp
memory/2624-7-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp
memory/784-10-0x0000000000250000-0x0000000000251000-memory.dmp
memory/784-9-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2624-16-0x000007FEF50B0000-0x000007FEF5A9C000-memory.dmp
memory/2276-15-0x0000000000FD0000-0x00000000012F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-01 01:38
Reported
2024-11-01 01:40
Platform
win10v2004-20241007-en
Max time kernel
136s
Max time network
142s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-01_c7eb615f6cfae5aab2205d79754b008a_icedid_poet-rat_quasar-rat_xrat.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\\sign.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mx5.deitie.asia | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| CN | 114.116.244.244:4495 | mx5.deitie.asia | tcp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sign.exe
| MD5 | 7498d554976744dfbd271ba755c6c192 |
| SHA1 | ec733d01e776518e387d2f51d1a6559b81f03b1e |
| SHA256 | 44089202623b9671051aa5bba5e72f81f68ce818c3054dde57726aaa6dcb9ff7 |
| SHA512 | d4e987d0e6235001fac4ae3a634e8fe98c6830e26a6a6876fbc36262842688d3ec301cff75003d2af695cdfd357ac50919946695b7d5d3293ebcba97153e1030 |
memory/1884-4-0x00007FFE3D2D3000-0x00007FFE3D2D5000-memory.dmp
memory/1884-5-0x0000000000E30000-0x0000000001154000-memory.dmp
memory/1884-6-0x00007FFE3D2D0000-0x00007FFE3DD91000-memory.dmp
memory/544-10-0x0000000002740000-0x0000000002741000-memory.dmp
memory/544-9-0x0000000002750000-0x0000000002751000-memory.dmp
memory/1884-15-0x00007FFE3D2D0000-0x00007FFE3DD91000-memory.dmp
memory/4444-16-0x0000000002DB0000-0x0000000002E00000-memory.dmp
memory/4444-17-0x000000001BEC0000-0x000000001BF72000-memory.dmp