Overview

overview

10

Static

static

10

83e48dca55...8N.exe

windows7-x64

10

83e48dca55...8N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 21:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83e48dca5574b8875b8efd202de1841263c97e38ccf8866649e0cf9b3d894378N.exe

  • Size

    349KB

  • MD5

    715f939575713752a183aa75ff78e2b0

  • SHA1

    11ce91d273eb5af1a87ed43af27cb12a971ecdcd

  • SHA256

    83e48dca5574b8875b8efd202de1841263c97e38ccf8866649e0cf9b3d894378

  • SHA512

    b844ffd4d0a220033886ce2096c8c61c44e86441cf811336d1be08c5160315da4cb7a46bebf5188e51e12b386e4f4f184905a18b08e96499eabdb8814f006011

  • SSDEEP

    6144:JK2J10qdSlEc39HGICa7TE3nKoICeeS2bwqHO4baeLV9w0Z:JKFL03nKoICeeSuOSLg0Z

Score
10/10
quasarcotizaciones23discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Cotizaciones23

C2

192.168.1.198:4782

Mutex

QSR_MUTEX_GWVYbrP9HvYlifSt0V

Attributes
  • encryption_key

    qJrrGgGodx4vKyBDIosm

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    client

  • subdirectory

    cles

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83e48dca5574b8875b8efd202de1841263c97e38ccf8866649e0cf9b3d894378N.exe
    "C:\Users\Admin\AppData\Local\Temp\83e48dca5574b8875b8efd202de1841263c97e38ccf8866649e0cf9b3d894378N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\83e48dca5574b8875b8efd202de1841263c97e38ccf8866649e0cf9b3d894378N.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1140
    • C:\Users\Admin\AppData\Roaming\cles\Client.exe
      "C:\Users\Admin\AppData\Roaming\cles\Client.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1424
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "client" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cles\Client.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\cles\Client.exe
    Filesize

    349KB

    MD5

    715f939575713752a183aa75ff78e2b0

    SHA1

    11ce91d273eb5af1a87ed43af27cb12a971ecdcd

    SHA256

    83e48dca5574b8875b8efd202de1841263c97e38ccf8866649e0cf9b3d894378

    SHA512

    b844ffd4d0a220033886ce2096c8c61c44e86441cf811336d1be08c5160315da4cb7a46bebf5188e51e12b386e4f4f184905a18b08e96499eabdb8814f006011

    Download Submit

  • memory/1424-19-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1424-18-0x0000000006760000-0x000000000676A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1424-16-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1424-15-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3780-6-0x0000000005F80000-0x0000000005F92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3780-0-0x0000000074F7E000-0x0000000074F7F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3780-7-0x00000000064C0000-0x00000000064FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3780-5-0x00000000053A0000-0x0000000005406000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3780-14-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3780-4-0x0000000074F70000-0x0000000075720000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3780-3-0x0000000005300000-0x0000000005392000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3780-2-0x00000000058B0000-0x0000000005E54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3780-1-0x0000000000800000-0x000000000085E000-memory.dmp

    Filesize

    376KB

    Download