Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    2364bd709ace33ac4144257da2a03282

  • SHA1

    ba2272a8f9417f422ac77d84e41a55a2ad77f980

  • SHA256

    af896d89bd5371a4236a7993a11484ddb5890bea7da569f61519dbe963216a88

  • SHA512

    41cd1b224a9efb2ac3abc12a55963bbf1a7bef36d27c3ec0177cd71d72684eb725120e772500685f448ad32d940f602d5f91ba1cdab0463c154ad64029f42e23

  • SSDEEP

    49152:yvKt62XlaSFNWPjljiFa2RoUYIFxOEMklk/JxxoGdzTHHB72eh2NT:yvi62XlaSFNWPjljiFXRoUYIFx8L

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

0.tcp.us-cal-1.ngrok.io:19421

Mutex

77c9d407-6130-4e2f-8d22-c4eda6d22b1f

Attributes
  • encryption_key

    210D68A7233E9455E4EEC5A5388A8DF203518D0F

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    1500

  • startup_key

    wwwwwww

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    2364bd709ace33ac4144257da2a03282

    SHA1

    ba2272a8f9417f422ac77d84e41a55a2ad77f980

    SHA256

    af896d89bd5371a4236a7993a11484ddb5890bea7da569f61519dbe963216a88

    SHA512

    41cd1b224a9efb2ac3abc12a55963bbf1a7bef36d27c3ec0177cd71d72684eb725120e772500685f448ad32d940f602d5f91ba1cdab0463c154ad64029f42e23

    Download Submit

  • memory/1120-10-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1120-11-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1120-12-0x0000000002630000-0x0000000002680000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1120-13-0x000000001B550000-0x000000001B602000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1120-14-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1120-15-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-0-0x00007FF9184C3000-0x00007FF9184C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2304-1-0x0000000000200000-0x0000000000524000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2304-2-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2304-9-0x00007FF9184C0000-0x00007FF918F81000-memory.dmp

    Filesize

    10.8MB

    Download