Malware Analysis Report

2025-01-18 04:07

Sample ID 241104-hk3ctaxapn
Target Roblox exploit 2024.7z
SHA256 0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0
Tags
quasar office04 credential_access discovery spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fa8e2b1073b28e1941150d9ff1651b4dfce15cb1a0ccdcd33d5caca3af20db0

Threat Level: Known bad

The file Roblox exploit 2024.7z was found to be: Known bad.

Malicious Activity Summary

quasar office04 credential_access discovery spyware stealer trojan

Quasar payload

Quasar family

Quasar RAT

Credentials from Password Stores: Windows Credential Manager

Executes dropped EXE

Reads user/profile data of web browsers

Drops file in Program Files directory

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 06:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 06:48

Reported

2024-11-04 06:50

Platform

win10ltsc2021-20241023-en

Max time kernel

85s

Max time network

83s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Client-built.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\ C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox exploit 2024.7z"

C:\Users\Admin\Desktop\Client-built.exe

"C:\Users\Admin\Desktop\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.244.186:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 186.244.140.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 Inversin-43597.portmap.host udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\Client-built.exe

MD5 f5b93af3ee1b64dacd2bac9ba4af9b27
SHA1 1f2a038199a71a2b917dca4dff2f5fac5e840978
SHA256 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA512 83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

memory/5032-4-0x00007FFB2BE83000-0x00007FFB2BE85000-memory.dmp

memory/5032-5-0x0000000000B40000-0x0000000000E64000-memory.dmp

memory/5032-6-0x00007FFB2BE80000-0x00007FFB2C942000-memory.dmp

memory/5032-9-0x00007FFB2BE80000-0x00007FFB2C942000-memory.dmp

memory/4656-10-0x000000001C6E0000-0x000000001C730000-memory.dmp

memory/4656-11-0x000000001C7F0000-0x000000001C8A2000-memory.dmp

memory/4656-14-0x000000001C730000-0x000000001C742000-memory.dmp

memory/4656-15-0x000000001C790000-0x000000001C7CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client-built.exe.log

MD5 b08c36ce99a5ed11891ef6fc6d8647e9
SHA1 db95af417857221948eb1882e60f98ab2914bf1d
SHA256 cc9248a177495f45ec70b86c34fc5746c56730af36ace98ac7eb365dbafda674
SHA512 07e62581eace395b0a9699d727761648103180c21155d84ea09140f9e1c9690705c419118545aa67a564334bbde32710225fe3aa92b0b4b4210cb91f0058b1ea

memory/1380-18-0x000001CD73E40000-0x000001CD73E50000-memory.dmp

memory/1380-34-0x000001CD73F40000-0x000001CD73F50000-memory.dmp

memory/1380-53-0x000001CD7C140000-0x000001CD7C141000-memory.dmp

memory/1380-55-0x000001CD7C280000-0x000001CD7C281000-memory.dmp

memory/1380-58-0x000001CD7C290000-0x000001CD7C291000-memory.dmp

memory/1380-57-0x000001CD7C280000-0x000001CD7C281000-memory.dmp

memory/1380-59-0x000001CD7C290000-0x000001CD7C291000-memory.dmp

memory/1380-60-0x000001CD7C290000-0x000001CD7C291000-memory.dmp

memory/1380-61-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-62-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-63-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-64-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-65-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-66-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-67-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-70-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-73-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-71-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-74-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-72-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-69-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-68-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-75-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-77-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-76-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-78-0x000001CD7C2B0000-0x000001CD7C2B1000-memory.dmp

memory/1380-79-0x000001CD7C2C0000-0x000001CD7C2C1000-memory.dmp

memory/1380-81-0x000001CD7C3D0000-0x000001CD7C3D1000-memory.dmp

memory/1380-80-0x000001CD7C2C0000-0x000001CD7C2C1000-memory.dmp

memory/1380-83-0x000001CD7C320000-0x000001CD7C321000-memory.dmp

memory/1380-82-0x000001CD7C320000-0x000001CD7C321000-memory.dmp