Analysis
-
max time kernel
126s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
21-11-2024 14:46
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
5c90e91232e7e16804a5e2512f56ef0f
-
SHA1
0f5533f772a53f8a96710a1812d05c5db276d999
-
SHA256
e4a7526ba0307eafbdf3d9ce7c5fb335fb76989a480f05de0f928d47808d5595
-
SHA512
a96fe2661c18d59a6f84bfeae75eeae0db847b559808cd1f2a2485d3c651cea547a18af1435a5c3f855f31cec7b114ced112ad27b0f7f99abc751a090ff1ebc0
-
SSDEEP
49152:Svkt62XlaSFNWPjljiFa2RoUYIk7waT5p+Vk/3LoGdjTHHB72eh2NT:Sv462XlaSFNWPjljiFXRoUYIzaD
Malware Config
Extracted
quasar
1.4.1
Office04
10.0.2.15:4782
d850957b-64bd-497d-9f9a-3ee4894ffc1e
-
encryption_key
8F0072332E1ACC25777BCA859650B335CCE8B039
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD55c90e91232e7e16804a5e2512f56ef0f
SHA10f5533f772a53f8a96710a1812d05c5db276d999
SHA256e4a7526ba0307eafbdf3d9ce7c5fb335fb76989a480f05de0f928d47808d5595
SHA512a96fe2661c18d59a6f84bfeae75eeae0db847b559808cd1f2a2485d3c651cea547a18af1435a5c3f855f31cec7b114ced112ad27b0f7f99abc751a090ff1ebc0
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB