Analysis Overview
SHA256
b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f
Threat Level: Known bad
The file Fpsunlocker.exe was found to be: Known bad.
Malicious Activity Summary
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 00:40
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 00:40
Reported
2024-11-04 00:43
Platform
win7-20240729-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe
"C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Inversin-43597.portmap.host | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| DE | 193.161.193.99:43597 | tcp |
Files
memory/1096-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp
memory/1096-1-0x0000000001340000-0x0000000001664000-memory.dmp
memory/1096-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | bf656c2e5e1e942c41fa918132faa7ab |
| SHA1 | 1c2ddd815378e54db9e21dd2e61d89067c94da4f |
| SHA256 | b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f |
| SHA512 | 54bef34ab722d69f1d3b7f5316f1fbc10fc629bb134f70eecb6a368330b7b73305ef5fa0b9e83c104e6e679ccd1d6e7f5a20caf4f39e6b03d4940b4ed9540b7d |
memory/1984-8-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/1984-9-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/1984-7-0x0000000001380000-0x00000000016A4000-memory.dmp
memory/1096-10-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
memory/1984-11-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 00:40
Reported
2024-11-04 00:44
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1080 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1080 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1080 wrote to memory of 4320 | N/A | C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 1080 wrote to memory of 4320 | N/A | C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe |
| PID 4320 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4320 wrote to memory of 5084 | N/A | C:\Users\Admin\AppData\Roaming\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe
"C:\Users\Admin\AppData\Local\Temp\Fpsunlocker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Inversin-43597.portmap.host | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 193.161.193.99:43597 | Inversin-43597.portmap.host | tcp |
Files
memory/1080-0-0x00007FFC53833000-0x00007FFC53835000-memory.dmp
memory/1080-1-0x0000000000670000-0x0000000000994000-memory.dmp
memory/1080-2-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
| MD5 | bf656c2e5e1e942c41fa918132faa7ab |
| SHA1 | 1c2ddd815378e54db9e21dd2e61d89067c94da4f |
| SHA256 | b70c5aea64d75fc98a82b3c88cfecc6c2856f2a4987f4c1212c3fcf866ec9c9f |
| SHA512 | 54bef34ab722d69f1d3b7f5316f1fbc10fc629bb134f70eecb6a368330b7b73305ef5fa0b9e83c104e6e679ccd1d6e7f5a20caf4f39e6b03d4940b4ed9540b7d |
memory/4320-9-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp
memory/1080-8-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp
memory/4320-10-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp
memory/4320-11-0x000000001C5F0000-0x000000001C640000-memory.dmp
memory/4320-12-0x000000001C700000-0x000000001C7B2000-memory.dmp
memory/4320-13-0x00007FFC53830000-0x00007FFC542F1000-memory.dmp