Overview

overview

10

Static

static

3

a8f8595e1b...7a.exe

windows7-x64

10

a8f8595e1b...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2024 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe

  • Size

    5.8MB

  • MD5

    7f4092487f658020d13296690668d937

  • SHA1

    4c2e7041e90f7f651c3f514f092260fdf38d23e4

  • SHA256

    a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a

  • SHA512

    bf24517138ae37ad6dbb5aec2272b0db9a7aa9c38e8b1928a4e6223c624592bf2fff2ce27e3971329bd829667cfd5722ce1906b55ebb779b421bd8ec3aae749b

  • SSDEEP

    98304:VdAle+Q5MpCOKdEJFZPG+chrvWREYJSqKpwR5agwxo7CH+TY9PcFO3y9jmKn+HBT:bkgMpCOL++KYMqDbSVdRf3y9jKH+U

Score
10/10
quasarxxxnewsgroupdirectdiscoveryevasionspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

XXXNewsgroupdirect

C2

jwy1nw4mcx2svbmvgo76.ru:4782

o6tqyui3rxxk2sfghduiypzz7pxlym.ru:4782

RHjqJCxmCalXXEe.ru:4782

xMfLSMPKBWsgmUC.ru:4782

FHXvaxLSFIDvieO.ru:4782

QfFaRBPqOoJQqEF.ru:4782

moNxVtjgeWpPVUz.ru:4782

JDIsOivQCBlbzlN.ru:4782

DGnZQjkVDhsxgVV.ru:4782

ByZBzewBiKXuqUR.ru:4782

ytXDZUKKgHETqys.ru:4782

yPZmTJDDnmJhkwf.ru:4782

QVggEpcffTSfXLG.ru:4782

DqUTFasmBwlEIBT.ru:4782

VYJjpyHabYhrJDd.ru:4782

RgNSTMHSnjafPEX.ru:4782
Mutex

HoQcpHAOBoMWu5FCve

Attributes
  • encryption_key

    VJrLu7UGImn19bb9qL6Z

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 9 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
    "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2684
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LmJmpmdSYXRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F1D.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2600
    • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
      "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:556
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\4fdaWHcAalH0.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1220
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2792
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1888
        • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
          "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
          4⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2880
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LmJmpmdSYXRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B84.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2200
          • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
            "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:1776
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\GXsKb70bzMh2.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2328
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2468
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3024
              • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
                "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\4fdaWHcAalH0.bat
    Filesize

    261B

    MD5

    76b2f2d4907cdec586bb7b53a95161de

    SHA1

    892b2064d0f28f8fe6c76f0254bc1e069316bc5d

    SHA256

    9495c95b1812b5376ba28aef25bd5664affed1bf4599631208f57f2a987b3c49

    SHA512

    ee2542fc2d70ba6bd241052bdb74354d450d18f0cbd69e67f527d583924d66e8e869f55370f9446e7021ebcd6d2aed01edbc83524ba03975dc170dd58c4f399f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\GXsKb70bzMh2.bat
    Filesize

    261B

    MD5

    c1426c863c0fe15570acb12a58fd9001

    SHA1

    6d4142d13d5315376f55520478db66262e6d0307

    SHA256

    95d317638517c9fb21a5e333ed73a243973dfa3500df1c180262cbbe5c604d90

    SHA512

    fbb28c0f5fbf6b89cfe305087de90a55b31056358b7bea75c59a891e1651934cedf37f40827b6a36cc2473540dc7998ceb6c78a34f177c89a3800968229c0ebc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp9F1D.tmp
    Filesize

    1KB

    MD5

    49c78333acaa56964d5f8792ad752409

    SHA1

    9c87acac42f34ef96fd304a4080a7d84334023ee

    SHA256

    21a8cfa20a42699ea0aa96cd595aeda014e51585ff0cf287f069fa7c2426c330

    SHA512

    434b869705f4b26309f44a662e803a091f87b0d810eeb2535ffcb0a462e6e77c314dff66d4bcfbab9d817202479062b22b2c36123c78fcf20faa47b20034f7d5

    Download Submit

  • memory/556-32-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/556-15-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-13-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-41-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/556-31-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/556-25-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-21-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-20-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/556-17-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-16-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/556-30-0x00000000006C0000-0x000000000071E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1776-55-0x00000000000F0000-0x000000000014E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1776-54-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1776-60-0x00000000000F0000-0x000000000014E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1776-62-0x00000000000F0000-0x000000000014E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2136-72-0x0000000000CA0000-0x0000000001268000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2684-12-0x0000000002530000-0x000000000253A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2684-2-0x0000000000A40000-0x0000000000A4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2684-6-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2684-0-0x000000007484E000-0x000000007484F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-3-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2684-29-0x0000000074840000-0x0000000074F2E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2684-5-0x000000007484E000-0x000000007484F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2684-1-0x00000000000F0000-0x00000000006B8000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2684-4-0x0000000005120000-0x0000000005192000-memory.dmp

    Filesize

    456KB

    Download

  • memory/2880-43-0x0000000000310000-0x00000000008D8000-memory.dmp

    Filesize

    5.8MB

    Download