Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 15:45

General

  • Target

    no virus.exe

  • Size

    3.1MB

  • MD5

    9facfa150b35a5985f9507eb0b68f29f

  • SHA1

    366084ec72c2dca7434de64aecece402f3d49e06

  • SHA256

    2ed2177995cad18218b61c46c64ba0575dc54e87c7385ea9bb70d9ca44f18a73

  • SHA512

    e52bdcda29737634a853ccf08d41d927d82ae51299aa235b62ab868bf93c4f6b5f2cdd1400f68d3bf3a5d1d7131732569ddedb33f5d5ed0e7bf67833c01a53a9

  • SSDEEP

    49152:XvQlL26AaNeWgPhlmVqvMQ7XSKD+RJ6ebR3LoGd41THHB72eh2NT:Xv4L26AaNeWgPhlmVqkQ7XSKD+RJ6Y

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

255.255.255.0:4782

192.168.56.1:4782

Mutex

5d8ed293-df10-4841-a52b-8692fbf47f38

Attributes
  • encryption_key

    11B8D109A02D98C9240E47185440CD1BFD88612D

  • install_name

    monkey.exe

  • log_directory

    Logs

  • reconnect_delay

    2882

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\no virus.exe
    "C:\Users\Admin\AppData\Local\Temp\no virus.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Users\Admin\AppData\Roaming\SubDir\monkey.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\monkey.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\monkey.exe

    Filesize

    3.1MB

    MD5

    9facfa150b35a5985f9507eb0b68f29f

    SHA1

    366084ec72c2dca7434de64aecece402f3d49e06

    SHA256

    2ed2177995cad18218b61c46c64ba0575dc54e87c7385ea9bb70d9ca44f18a73

    SHA512

    e52bdcda29737634a853ccf08d41d927d82ae51299aa235b62ab868bf93c4f6b5f2cdd1400f68d3bf3a5d1d7131732569ddedb33f5d5ed0e7bf67833c01a53a9

  • memory/2232-0-0x000007FEF5E23000-0x000007FEF5E24000-memory.dmp

    Filesize

    4KB

  • memory/2232-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp

    Filesize

    3.1MB

  • memory/2232-2-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

    Filesize

    9.9MB

  • memory/2232-7-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

    Filesize

    9.9MB

  • memory/2724-8-0x0000000001190000-0x00000000014B4000-memory.dmp

    Filesize

    3.1MB

  • memory/2724-9-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

    Filesize

    9.9MB

  • memory/2724-10-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

    Filesize

    9.9MB

  • memory/2724-11-0x000007FEF5E20000-0x000007FEF680C000-memory.dmp

    Filesize

    9.9MB