Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2024 02:10

General

  • Target

    a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe

  • Size

    5.8MB

  • MD5

    7f4092487f658020d13296690668d937

  • SHA1

    4c2e7041e90f7f651c3f514f092260fdf38d23e4

  • SHA256

    a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a

  • SHA512

    bf24517138ae37ad6dbb5aec2272b0db9a7aa9c38e8b1928a4e6223c624592bf2fff2ce27e3971329bd829667cfd5722ce1906b55ebb779b421bd8ec3aae749b

  • SSDEEP

    98304:VdAle+Q5MpCOKdEJFZPG+chrvWREYJSqKpwR5agwxo7CH+TY9PcFO3y9jmKn+HBT:bkgMpCOL++KYMqDbSVdRf3y9jKH+U

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

XXXNewsgroupdirect

C2

jwy1nw4mcx2svbmvgo76.ru:4782

o6tqyui3rxxk2sfghduiypzz7pxlym.ru:4782

RHjqJCxmCalXXEe.ru:4782

xMfLSMPKBWsgmUC.ru:4782

FHXvaxLSFIDvieO.ru:4782

QfFaRBPqOoJQqEF.ru:4782

moNxVtjgeWpPVUz.ru:4782

JDIsOivQCBlbzlN.ru:4782

DGnZQjkVDhsxgVV.ru:4782

ByZBzewBiKXuqUR.ru:4782

ytXDZUKKgHETqys.ru:4782

yPZmTJDDnmJhkwf.ru:4782

QVggEpcffTSfXLG.ru:4782

DqUTFasmBwlEIBT.ru:4782

VYJjpyHabYhrJDd.ru:4782

RgNSTMHSnjafPEX.ru:4782

Mutex

HoQcpHAOBoMWu5FCve

Attributes
  • encryption_key

    VJrLu7UGImn19bb9qL6Z

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
    "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3144
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LmJmpmdSYXRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp656C.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:536
    • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
      "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4344
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XzstfXbf8V33.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1528
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1780
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3148
        • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
          "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
          4⤵
          • Looks for VirtualBox Guest Additions in registry
          • Looks for VMWare Tools registry key
          • Checks BIOS information in registry
          • Checks computer location settings
          • Maps connected drives based on registry
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3744
          • C:\Windows\SysWOW64\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LmJmpmdSYXRV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5049.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3972
          • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
            "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:444
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eTKYcXpmsjon.bat" "
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\SysWOW64\chcp.com
                chcp 65001
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3280
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 10 localhost
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4424
              • C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe
                "C:\Users\Admin\AppData\Local\Temp\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:3340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a8f8595e1b3174a4cc26bde2e09cbd02319fe2a5588af2143af336a6d091107a.exe.log

    Filesize

    599B

    MD5

    4c035bcf4ab1fbbc9de8a5ed5be5dfb8

    SHA1

    180299ba8c06ed922f515b8cdb2409edd8b432d0

    SHA256

    75b9a0f2298151bbbf388dd94b9f13d5c5ec174891f0c76b07b8cd8bbd1273c1

    SHA512

    0166b2b1b0d79f366d3ae8b9e76b2fff9648c85b3cf883120b23355ca484337cee6e0462e7d8cd52654506ff739f195bff9e1b4d4617b882ec9943dc31abde4d

  • C:\Users\Admin\AppData\Local\Temp\XzstfXbf8V33.bat

    Filesize

    261B

    MD5

    201881ca7efea08d53445112a68fb21c

    SHA1

    bf6ffc003e5c09677f04eb19cb3022c04ef281aa

    SHA256

    c51eb95f61f17cc46aeaad106597f10eaba5cfc1014c8469f02af2ad260d5bd9

    SHA512

    9255ad146a4861a0c58c621987a587858dacea30ebaa132cff95d23a1a0808b6c4e5ffc89e7df5ddba8ba71101013a24e9b829565efb456d8789188aa01052b5

  • C:\Users\Admin\AppData\Local\Temp\eTKYcXpmsjon.bat

    Filesize

    261B

    MD5

    b308428fdc1ab0ebfbba404df11a5293

    SHA1

    1c69cee6f380546d970b24f7ef1cae9c20e75ba6

    SHA256

    bc78b8130d983d50d2c95059f02e3d752a921121c86bef15e0cbdfc403ce097e

    SHA512

    b31fc5e5b6d081eead73c4303b9922046d62b8fa814e1394894451e2a615cc45721ab1d8f069bbb575f1dab41f84beff1d2cf746f3a82fa98c4d54b7d26ea8a8

  • C:\Users\Admin\AppData\Local\Temp\tmp656C.tmp

    Filesize

    1KB

    MD5

    d583b7f47971b29d64cb2d49aa81a870

    SHA1

    baf1bc39facf68c09e53ac10033b05030880927e

    SHA256

    2a98f411e2107cfc7f9ab2262699245d7b47cc8562f24f88986b71f41a27894a

    SHA512

    38869f2cea5ef5f88ce4a8ef775100444982ae6a2fc387b36f373e0b8448d04ff58f4bc16bf0c4bbc983bb85783c20a16ce0b6a149e9797012d810e13da940e2

  • memory/3144-5-0x0000000005D10000-0x0000000005D82000-memory.dmp

    Filesize

    456KB

  • memory/3144-2-0x0000000001780000-0x000000000178A000-memory.dmp

    Filesize

    40KB

  • memory/3144-6-0x00000000082A0000-0x000000000833C000-memory.dmp

    Filesize

    624KB

  • memory/3144-7-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

    Filesize

    4KB

  • memory/3144-8-0x0000000074D50000-0x0000000075500000-memory.dmp

    Filesize

    7.7MB

  • memory/3144-9-0x00000000085B0000-0x0000000008616000-memory.dmp

    Filesize

    408KB

  • memory/3144-4-0x0000000074D50000-0x0000000075500000-memory.dmp

    Filesize

    7.7MB

  • memory/3144-15-0x0000000008720000-0x000000000872A000-memory.dmp

    Filesize

    40KB

  • memory/3144-16-0x0000000009450000-0x00000000099F4000-memory.dmp

    Filesize

    5.6MB

  • memory/3144-0-0x0000000074D5E000-0x0000000074D5F000-memory.dmp

    Filesize

    4KB

  • memory/3144-1-0x0000000000850000-0x0000000000E18000-memory.dmp

    Filesize

    5.8MB

  • memory/3144-19-0x0000000074D50000-0x0000000075500000-memory.dmp

    Filesize

    7.7MB

  • memory/3144-3-0x00000000057C0000-0x0000000005852000-memory.dmp

    Filesize

    584KB

  • memory/4344-22-0x0000000074D50000-0x0000000075500000-memory.dmp

    Filesize

    7.7MB

  • memory/4344-23-0x0000000005E20000-0x0000000005E32000-memory.dmp

    Filesize

    72KB

  • memory/4344-24-0x00000000064A0000-0x00000000064DC000-memory.dmp

    Filesize

    240KB

  • memory/4344-28-0x0000000074D50000-0x0000000075500000-memory.dmp

    Filesize

    7.7MB

  • memory/4344-21-0x0000000000BB0000-0x0000000000C0E000-memory.dmp

    Filesize

    376KB

  • memory/4344-20-0x0000000074D50000-0x0000000075500000-memory.dmp

    Filesize

    7.7MB