Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241023-en
  • resource tags

    arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-11-2024 13:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    1bca12f842d32d0cb1411dd70cb37d74

  • SHA1

    ca8dff22c3df385aeb69207dbee621294ce64465

  • SHA256

    a99195bc5021cb62d6946d51f478be9e4e32c40da5be7f706757b36ac9fc2e26

  • SHA512

    0ff6395b2c2c09119304cd28742167a424a867f9efb97ee9f7608c78cb95d3114206bf8aa6a96004817219d08d1b770d7e0a90ce9fd818aed717c660057814ef

  • SSDEEP

    49152:SvQt62XlaSFNWPjljiFa2RoUYIPaXm0mzXsoGdQTHHB72eh2NT:Svc62XlaSFNWPjljiFXRoUYIiXmW

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.30:4782

Mutex

527d6b5a-c716-4500-9e84-5840c7e340a4

Attributes
  • encryption_key

    E54BE336D58046FD53BA6384AD78D66E8B2B987A

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Discord

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3384
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
    Filesize

    10KB

    MD5

    1301a13a0b62ba61652cdbf2d61f80fa

    SHA1

    1911d1f0d097e8f5275a29e17b0bcef305df1d9e

    SHA256

    7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

    SHA512

    66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

    Download Submit

  • memory/956-0-0x00007FFE400D3000-0x00007FFE400D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/956-1-0x0000000000E80000-0x00000000011A4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/956-2-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/956-3-0x000000001CE00000-0x000000001CE50000-memory.dmp

    Filesize

    320KB

    Download

  • memory/956-4-0x000000001CF10000-0x000000001CFC2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/956-12-0x00007FFE400D3000-0x00007FFE400D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/956-13-0x00007FFE400D0000-0x00007FFE40B92000-memory.dmp

    Filesize

    10.8MB

    Download