Analysis
-
max time kernel
33s -
max time network
45s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241023-en -
resource tags
-
submitted
04-11-2024 05:07
General
-
Target
Roblox exploit 2024.7z
-
Size
922KB
-
MD5
b83419ff541c2f78be5921c4c150aa2f
-
SHA1
2b0a73d56cf4af03d0b1eb51d7e2092f320972f0
-
SHA256
0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0
-
SHA512
d9faa15debc5bcae1d391f8cf6f713f2bf8996c64ca4b05f1bddb5f47a7c3980dbc5b784d4791f3a41739b8443fce6a224bcb7ee3654761698f02918b7c5f6a8
-
SSDEEP
24576:uc92iZi0TVp6x0W7GjN59lfzlPRdAeqoeTy4x3kNp6k:um2iZnV8x0W+Npko0ny1
Malware Config
Extracted
quasar
1.4.1
Office04
Inversin-43597.portmap.host:43597
80329fd2-f063-4b06-9c7e-8dbc6278c2a3
-
encryption_key
744EA1A385FEBC6DA96387411B7000D77E66B075
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java updater
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Desktop\Client-built.exe"C:\Users\Admin\Desktop\Client-built.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5f5b93af3ee1b64dacd2bac9ba4af9b27
SHA11f2a038199a71a2b917dca4dff2f5fac5e840978
SHA25648d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA51283703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
72KB
-
Filesize
240KB