Overview

overview

10

Static

static

1

Facebook breaker.zip

windows7-x64

10

Facebook breaker.zip

windows10-2004-x64

Facebook breaker.zip

windows10-ltsc 2021-x64

Facebook breaker.zip

windows11-21h2-x64

Analysis

  • max time kernel
    155s
  • max time network
    162s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    04/11/2024, 06:37

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Facebook breaker.zip

  • Size

    1.2MB

  • MD5

    60baabf5f07b439be78195450dacff3a

  • SHA1

    4c21ad0c866035b9cd720c904c07d6d5a9f47a8c

  • SHA256

    8f379aea1158c492af7bd6361b1b0c8e5b4d2c73062968eb3231da123c4160df

  • SHA512

    bf4d9b38a0575b7fe0200e3145cabd934abf3abd7192f32080c248b847787de724bae8f02ca6df207f75d4557270f8487e87bcc6100016ac27c5bfa61e498fe1

  • SSDEEP

    24576:sPhAekqOX+cSocIXNgg3DZ0dgBBFegQHfmrcFebKpDH8pZJfXm5gQEd:0h+qOOc+IXPDZnFeQrcUKpDcXm5kd

Score
10/10
quasarvíctimadiscoveryspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Víctima

C2

crismulticuenta-30512.portmap.host:30512

Mutex

d7480f6f-e85f-4b68-8813-8279e2e6cb96

Attributes
  • encryption_key

    8497DDBEB7064872EF356A0D1A58DE488578E1E0

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Updater

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 29 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Facebook breaker.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4860
  • C:\Users\Admin\Desktop\Facebook breaker.exe
    "C:\Users\Admin\Desktop\Facebook breaker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2564
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3548
  • C:\Users\Admin\Desktop\Facebook breaker.exe
    "C:\Users\Admin\Desktop\Facebook breaker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1900
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4368
      • C:\Windows\System32\shutdown.exe
        "C:\Windows\System32\shutdown.exe" /s /t 0
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:764
  • C:\Users\Admin\Desktop\Facebook breaker.exe
    "C:\Users\Admin\Desktop\Facebook breaker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2168
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1656
  • C:\Users\Admin\Desktop\Facebook breaker.exe
    "C:\Users\Admin\Desktop\Facebook breaker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1780
  • C:\Users\Admin\Desktop\Facebook breaker.exe
    "C:\Users\Admin\Desktop\Facebook breaker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4872
  • C:\Users\Admin\Desktop\Facebook breaker.exe
    "C:\Users\Admin\Desktop\Facebook breaker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:820
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    1⤵
    • Drops file in Windows directory
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3340
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffba6bdcc40,0x7ffba6bdcc4c,0x7ffba6bdcc58
      2⤵
        PID:3756
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2172,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2168 /prefetch:2
        2⤵
          PID:2568
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1880,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2204 /prefetch:3
          2⤵
            PID:1628
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2148,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=644 /prefetch:8
            2⤵
              PID:4920
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
              2⤵
                PID:3548
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3328 /prefetch:1
                2⤵
                  PID:636
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4592 /prefetch:1
                  2⤵
                    PID:3300
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4540 /prefetch:8
                    2⤵
                      PID:2124
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4520,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4820 /prefetch:8
                      2⤵
                        PID:1260
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4872,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4884 /prefetch:8
                        2⤵
                          PID:4596
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,3667152671784699315,3465472261759846875,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5044 /prefetch:8
                          2⤵
                            PID:5076
                        • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
                          "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
                          1⤵
                            PID:456
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                            1⤵
                              PID:1964
                            • C:\Windows\system32\LogonUI.exe
                              "LogonUI.exe" /flags:0x4 /state0:0xa3a2c055 /state1:0x41c64e6d
                              1⤵
                              • Modifies data under HKEY_USERS
                              • Suspicious use of SetWindowsHookEx
                              PID:2204

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                              Filesize

                              649B

                              MD5

                              78b14f1d03e306406dac559613b7a399

                              SHA1

                              2522c8078bdc4260c1fe03e1c8c976074a8859dc

                              SHA256

                              6e0ab85ee2ef41d213bf057f13b3e843409756bc5e61c4868124f340bb752f48

                              SHA512

                              4131c5a22018bf50fb71d6bdcdc2e40349ef935acd1d2b4ce98193978f131ba02d143ddb2e2888707148ca1149fcf9a1ac68944f831f2f04aa8b283d57dd0825

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
                              Filesize

                              9KB

                              MD5

                              dc974b788c9c01503c57d6fbd5e497a6

                              SHA1

                              b3445bcab8799eaf98da30ddb28a7bef98ba6d7f

                              SHA256

                              1108be7f1c5fb41f8b881cb516335657bbccea1cb3ddfb06e3300f9dcd154409

                              SHA512

                              a6c0616af36046b7a56ae44229cfdb936d9cc0a84af561d51816ba8ba0307fc351dd7fb11cb183ccb7155382fa4376e85aca170530548ca7308fdf5e4d1624b7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
                              Filesize

                              15KB

                              MD5

                              5f3a716b5f60327df03f30036db1d812

                              SHA1

                              6621b364f072fec0e6e32c9c16587c7253aef7f7

                              SHA256

                              99739f485bc1291660f356ea9b2a9cf18ee42d77b0381ed8c944918663829a43

                              SHA512

                              4d35c040e9272dc3c3a13d95ff067762b67060c87c08762034805cf2f7b19e7a1819c67f4ce2f5d5883a4507c33ae59b9641cabf60f0940b5696504a87133ae8

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              231KB

                              MD5

                              c70f9c75e0f2556321a1d9d4a1567948

                              SHA1

                              9cc865e3d062031d2e1ce321e458c96f1c9058e8

                              SHA256

                              31de151a3a2daa6b7e01b99dcd7d5fbda9d82435010895eda033d3ca79d9b20f

                              SHA512

                              202e79d3868fd13d0e7ab6bf93110ae0f1d5e5fed0a771d3be05c7470ca3a026340c0520a1dec6c4173df2261931b70707cd61fd62f58d9a3857912fd0c17f28

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Facebook breaker.exe.log
                              Filesize

                              1KB

                              MD5

                              b08c36ce99a5ed11891ef6fc6d8647e9

                              SHA1

                              db95af417857221948eb1882e60f98ab2914bf1d

                              SHA256

                              cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674

                              SHA512

                              07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

                              Download Submit

                            • C:\Users\Admin\Desktop\Facebook breaker.exe
                              Filesize

                              3.1MB

                              MD5

                              54015452b4c7ca1af1e48c57d8169ae8

                              SHA1

                              31fd25eb9d5142f0cd3c281ce0617c9843ee6088

                              SHA256

                              d65476ae21d3f06713febd1ec371f89832248bee5d8fd0717f515df2d4aad2bb

                              SHA512

                              6ad3294c6eb7b12ca3538b85835ca36c9bf523b474db26268900ccee866e32067e2b2b2a872b4360c457b759de562572503c7f9ffdbb4ee836994154ec01ff55

                              Download Submit

                            • memory/2628-18-0x000000001BA10000-0x000000001BA60000-memory.dmp

                              Filesize

                              320KB

                              Download

                            • memory/2628-19-0x000000001CF40000-0x000000001CFF2000-memory.dmp

                              Filesize

                              712KB

                              Download

                            • memory/2628-22-0x000000001CEA0000-0x000000001CEB2000-memory.dmp

                              Filesize

                              72KB

                              Download

                            • memory/2628-23-0x000000001CF00000-0x000000001CF3C000-memory.dmp

                              Filesize

                              240KB

                              Download

                            • memory/4252-14-0x00007FFB8E2D0000-0x00007FFB8ED92000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4252-9-0x00007FFB8E2D0000-0x00007FFB8ED92000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4252-5-0x0000000000820000-0x0000000000B46000-memory.dmp

                              Filesize

                              3.1MB

                              Download

                            • memory/4252-4-0x00007FFB8E2D3000-0x00007FFB8E2D5000-memory.dmp

                              Filesize

                              8KB

                              Download

                            • memory/4644-11-0x00007FFB8E2D0000-0x00007FFB8ED92000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4644-7-0x00007FFB8E2D0000-0x00007FFB8ED92000-memory.dmp

                              Filesize

                              10.8MB

                              Download