Analysis Overview
SHA256
91d3d30addc138a7e5792098b38e0d0600e4e81044372306d857ae05002a1e48
Threat Level: Known bad
The file FpsBoosterUpdated.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar family
Quasar RAT
Loads dropped DLL
Executes dropped EXE
Looks up external IP address via web service
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Browser Information Discovery
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 18:00
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 18:00
Reported
2024-11-03 18:03
Platform
win7-20240903-en
Max time kernel
65s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SubDir\FpsBooster.exe | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SubDir\FpsBooster.exe | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SubDir | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe
"C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "FpsBooster" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe" /rl HIGHEST /f
C:\Program Files (x86)\SubDir\FpsBooster.exe
"C:\Program Files (x86)\SubDir\FpsBooster.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "FpsBooster" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\FpsBooster.exe" /rl HIGHEST /f
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef54e9758,0x7fef54e9768,0x7fef54e9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2136 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1336 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1100 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3620 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1256 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3124 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1016 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2992 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2768 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2376 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3976 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3956 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2752 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4108 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4092 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3964 --field-trial-handle=1356,i,16579002224646789179,15547315306216881475,131072 /prefetch:8
C:\Users\Admin\Downloads\FpsBoosterUpdated.exe
"C:\Users\Admin\Downloads\FpsBoosterUpdated.exe"
C:\Users\Admin\Downloads\FpsBoosterUpdated.exe
"C:\Users\Admin\Downloads\FpsBoosterUpdated.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 172.217.16.238:443 | apis.google.com | tcp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | tcp |
| GB | 142.250.200.42:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 45.112.123.126:443 | gofile.io | tcp |
| FR | 45.112.123.126:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | ad.a-ads.com | udp |
| DE | 148.251.233.147:443 | ad.a-ads.com | tcp |
| US | 8.8.8.8:53 | static.a-ads.com | udp |
| DE | 213.239.209.209:443 | static.a-ads.com | tcp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp |
Files
memory/2088-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp
memory/2088-1-0x0000000000FD0000-0x000000000102E000-memory.dmp
memory/2088-2-0x0000000073EF0000-0x00000000745DE000-memory.dmp
\Program Files (x86)\SubDir\FpsBooster.exe
| MD5 | 290b4ade8d6facb2bddad3eb853c1bcf |
| SHA1 | f86966d34bc407090f418192ebbd1bc88346b98e |
| SHA256 | 91d3d30addc138a7e5792098b38e0d0600e4e81044372306d857ae05002a1e48 |
| SHA512 | 5d0ebf9b4d9fb1c88dac4be649e2e0fc88972d89fe5c090e02b0fcf736d26b57371bc6702195c37d2711c661afb685cb4bbf87d2224c2ae333051d6acfa8286b |
memory/1920-9-0x0000000000870000-0x00000000008CE000-memory.dmp
memory/1920-11-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/1920-10-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/2088-12-0x0000000073EF0000-0x00000000745DE000-memory.dmp
\??\pipe\crashpad_2064_FKMVOBOBAZOYKOKM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1920-15-0x0000000073EF0000-0x00000000745DE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
memory/1920-62-0x0000000073EF0000-0x00000000745DE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6e724e6d444276747e5760cc41ce6e7e |
| SHA1 | 4059fc06fa71e9169006691e1a6886e2413bea3b |
| SHA256 | e3dc03d47733d5432960126b63d88cfcb99fd23af498b2810fe1851fdd05a166 |
| SHA512 | 7b538955aca396bb2627cf6dd7b15f1b7743f11847c82b2d50edac34779ec9e0f30459a36569a92a288428266b8c77f26e24f15c59249dbe12f19245d1b1dfb7 |
C:\Users\Admin\AppData\Local\Temp\CabAE6A.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 9c773887dfe923d3e6d5df915cebf6cf |
| SHA1 | 747201ea5d78bef355cfd012ee75d64551583c0b |
| SHA256 | 02640f8272652dc757360cd1d387b3597036bf8f0e981bdc3feb9aa6ee2296ae |
| SHA512 | c7997f9a2e523760f27e8d7bc619fdd1c68c8695b8e941eb8ccba8f8ae5450c6000b79eefcd790e4b562337c89c05868a1268cca623dfc247c969fe2b4c49e4e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8aa4392a4bbaba5eb71ed5249bf4a986 |
| SHA1 | 03fad97a294eb34e70dc3dcf3135162692abd3ce |
| SHA256 | 95ef95b9df135632a92cbb6d2f60721c696f325b906de28dea4f76186054bf11 |
| SHA512 | 770681234821449daa1828ec9bd319516891ae625e21795aa32bd5579dc9c3ae32080f3550f931761952dc15c2c4a38de3fe595e9306b540d7424f3f71937f93 |
C:\Users\Admin\Downloads\Unconfirmed 239388.crdownload
| MD5 | 2b0b616f84c6f2eb141b5b896c81fc97 |
| SHA1 | 9e1cf2dee392ff86814660ade6148860c70a7ac2 |
| SHA256 | 3ba3b37382c1150791bf18fab445cb98e2371130097d0b82f5c191237b78e685 |
| SHA512 | 064a7b4808d2b21b7219411a0b436b33f8638f80f6ad500533e17bc407ace53cb85cb83b1ad896a106f0d49b74c9e6dc6f4171e3961405562bae81c740fcf42b |
memory/2460-254-0x0000000001070000-0x00000000010CE000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9401062748ecec621c98ab0464561c3c |
| SHA1 | c89fe2dea54a6517b372f87b2dcdb97e112db969 |
| SHA256 | bafa60c87ccab7ee94367e8d52ea998373255d42487295bc5616e266f799ed08 |
| SHA512 | 519ce6e38b14768cdf8567c69225bfafb068617ee7ed71c098d63502d5217f9b724e6b672096e196bae3dea2ba40af30cd3e46b733c67caeab3703e164f90822 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | ec01415a149f01ac3813edf69817d7e2 |
| SHA1 | bd0e88904992b1de687dd4365a62c33344b5d5b3 |
| SHA256 | 9bcf13df2b3927c07511766c0a44a059660e814cd626cd480e810b408bc28a35 |
| SHA512 | f381d11f18ae79b9004d3301244dbb50f88dbf3c2bbff86e5dbdb18534ab17c1bd0b59c84dc0d5b0cf3a958616803b929dcca655f69314a3b49e3d913028ebec |
memory/3052-276-0x0000000001270000-0x00000000012CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 18:00
Reported
2024-11-03 18:04
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
138s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\SubDir\FpsBooster.exe | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SubDir\FpsBooster.exe | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| File opened for modification | C:\Program Files (x86)\SubDir | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\SubDir\FpsBooster.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe
"C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "FpsBooster" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\FpsBoosterUpdated.exe" /rl HIGHEST /f
C:\Program Files (x86)\SubDir\FpsBooster.exe
"C:\Program Files (x86)\SubDir\FpsBooster.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "FpsBooster" /sc ONLOGON /tr "C:\Program Files (x86)\SubDir\FpsBooster.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 94.12.20.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp | |
| N/A | 127.0.0.1:4782 | tcp |
Files
memory/4812-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp
memory/4812-1-0x0000000000C00000-0x0000000000C5E000-memory.dmp
memory/4812-2-0x0000000005CB0000-0x0000000006254000-memory.dmp
memory/4812-3-0x0000000005700000-0x0000000005792000-memory.dmp
memory/4812-4-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4812-5-0x0000000005610000-0x0000000005676000-memory.dmp
memory/4812-6-0x0000000005C70000-0x0000000005C82000-memory.dmp
memory/4812-7-0x0000000006860000-0x000000000689C000-memory.dmp
C:\Program Files (x86)\SubDir\FpsBooster.exe
| MD5 | 290b4ade8d6facb2bddad3eb853c1bcf |
| SHA1 | f86966d34bc407090f418192ebbd1bc88346b98e |
| SHA256 | 91d3d30addc138a7e5792098b38e0d0600e4e81044372306d857ae05002a1e48 |
| SHA512 | 5d0ebf9b4d9fb1c88dac4be649e2e0fc88972d89fe5c090e02b0fcf736d26b57371bc6702195c37d2711c661afb685cb4bbf87d2224c2ae333051d6acfa8286b |
memory/4056-13-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4812-14-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4056-15-0x0000000074D50000-0x0000000075500000-memory.dmp
memory/4056-16-0x0000000006420000-0x000000000642A000-memory.dmp
memory/4056-17-0x0000000074D50000-0x0000000075500000-memory.dmp