Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
10CMMON32.exe
windows7-x64
7Client-built.exe
windows7-x64
10CraxsRatV7.6.exe
windows7-x64
3FivemCheat.exe
windows7-x64
10QuantumBuilder.exe
windows7-x64
10R2Tf11dq2.exe
windows7-x64
10System.exe
windows7-x64
10kinginamoV2.exe
windows7-x64
10robloxfisc...st.exe
windows7-x64
10robloxlist.exe
windows7-x64
10Analysis
-
max time kernel
30s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/11/2024, 07:45
Behavioral task
behavioral1
Sample
CMMON32.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Client-built.exe
Resource
win7-20240903-en
Behavioral task
behavioral3
Sample
CraxsRatV7.6.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
FivemCheat.exe
Resource
win7-20240903-en
Behavioral task
behavioral5
Sample
QuantumBuilder.exe
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
R2Tf11dq2.exe
Resource
win7-20240903-en
Behavioral task
behavioral7
Sample
System.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
kinginamoV2.exe
Resource
win7-20240903-en
Behavioral task
behavioral9
Sample
robloxfischscriptlist.exe
Resource
win7-20241010-en
General
-
Target
robloxfischscriptlist.exe
-
Size
348KB
-
MD5
548fa12c57a2af723d85d90a4a8a6611
-
SHA1
b149e2c987cf1c584b94bb752bd81b27cde7f83b
-
SHA256
a591429743ce96a0c4b8d7e86130c3a61505cde949e9996b15117f6ab85a2b85
-
SHA512
3dc814d8ea98219444800ddffb6ff885fca45b8e305022156ea1620a09c5667a53d115225e4ef60448121797a4f383891cfd61b8bdc2bad61cc42828d0d7a217
-
SSDEEP
6144:MmNHXf500MbsOnxaxfROEUbDgosLDqvJq9v7IHPnW:Td50iOnvEViJq9TIvnW
Malware Config
Extracted
quasar
1.3.0.0
Clint
192.168.178.29:4780
QSR_MUTEX_02VEKG7zCDubNpN0wF
-
encryption_key
Bdex5bWk923mG5O2SXnn
-
install_name
robloxfisch.exe
-
log_directory
Log
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral9/memory/2856-1-0x0000000000860000-0x00000000008BE000-memory.dmp family_quasar behavioral9/files/0x001500000001756e-4.dat family_quasar behavioral9/memory/2964-9-0x0000000001210000-0x000000000126E000-memory.dmp family_quasar -
Executes dropped EXE 1 IoCs
pid Process 2964 robloxfisch.exe -
Loads dropped DLL 1 IoCs
pid Process 2856 robloxfischscriptlist.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language robloxfischscriptlist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language robloxfisch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2684 schtasks.exe 2748 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2856 robloxfischscriptlist.exe Token: SeDebugPrivilege 2964 robloxfisch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2964 robloxfisch.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2856 wrote to memory of 2684 2856 robloxfischscriptlist.exe 31 PID 2856 wrote to memory of 2684 2856 robloxfischscriptlist.exe 31 PID 2856 wrote to memory of 2684 2856 robloxfischscriptlist.exe 31 PID 2856 wrote to memory of 2684 2856 robloxfischscriptlist.exe 31 PID 2856 wrote to memory of 2964 2856 robloxfischscriptlist.exe 33 PID 2856 wrote to memory of 2964 2856 robloxfischscriptlist.exe 33 PID 2856 wrote to memory of 2964 2856 robloxfischscriptlist.exe 33 PID 2856 wrote to memory of 2964 2856 robloxfischscriptlist.exe 33 PID 2964 wrote to memory of 2748 2964 robloxfisch.exe 34 PID 2964 wrote to memory of 2748 2964 robloxfisch.exe 34 PID 2964 wrote to memory of 2748 2964 robloxfisch.exe 34 PID 2964 wrote to memory of 2748 2964 robloxfisch.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\robloxfischscriptlist.exe"C:\Users\Admin\AppData\Local\Temp\robloxfischscriptlist.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\robloxfischscriptlist.exe" /rl HIGHEST /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2684
-
-
C:\Users\Admin\AppData\Roaming\SubDir\robloxfisch.exe"C:\Users\Admin\AppData\Roaming\SubDir\robloxfisch.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\robloxfisch.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2748
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
348KB
MD5548fa12c57a2af723d85d90a4a8a6611
SHA1b149e2c987cf1c584b94bb752bd81b27cde7f83b
SHA256a591429743ce96a0c4b8d7e86130c3a61505cde949e9996b15117f6ab85a2b85
SHA5123dc814d8ea98219444800ddffb6ff885fca45b8e305022156ea1620a09c5667a53d115225e4ef60448121797a4f383891cfd61b8bdc2bad61cc42828d0d7a217