Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    33s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-12-2024 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    86bd4496eab8ed85c7806bbe8b4faeff

  • SHA1

    93908110af4954cda171542785bf17c0203077f5

  • SHA256

    a9704b9ec835390fe47e215aa4928bed85698818c5de90ad11e1bc61de12fff1

  • SHA512

    53d49ada84dc2c712805beb18e00b10eb1d730ca9d02dc559b8c0594452eb2ac64af719cb26ec9b8cc4486969078e4640138a5be295f7e968fef2db4c08b1214

  • SSDEEP

    49152:SvJI22SsaNYfdPBldt698dBcjH62RJ6GbR3LoGdOzGTHHB72eh2NT:Svq22SsaNYfdPBldt6+dBcjH62RJ6A

Score
10/10
quasarvictimdiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

victim

C2

192.168.0.8:4782

Mutex

b4f8207c-44c4-442b-9a76-0a5ef954b8b8

Attributes
  • encryption_key

    2EF56B2D5415EB3BBA2A2D7B6B83FB157B370CDE

  • install_name

    cilent-bulit.exe

  • log_directory

    Logs

  • reconnect_delay

    100

  • startup_key

    solara

  • subdirectory

    cilent-bulit

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops desktop.ini file(s) 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2636
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cilent-bulit\cilent-bulit.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2940
    • C:\Users\Admin\AppData\Roaming\cilent-bulit\cilent-bulit.exe
      "C:\Users\Admin\AppData\Roaming\cilent-bulit\cilent-bulit.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "solara" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cilent-bulit\cilent-bulit.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2716
  • C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
    1⤵
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Program Files (x86)\Windows Media Player\wmpshare.exe
      "C:\Program Files (x86)\Windows Media Player\wmpshare.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms~RFf77d6df.TMP
    Filesize

    1KB

    MD5

    17806687a7b317daa36014261b1f53f3

    SHA1

    7c6bf450eaabce8aa764995ebdb3430900067ead

    SHA256

    925d939f1c02d87cf3f0755c14f61171b4a7a6c1d05c6ec934695ede9f972190

    SHA512

    898e9e8fc58a3234ba4ec6a29be661475333c20f8512067f343e4f324f2300994eb482c0b1aed0665fc8642a40a3a5ea17e2c73b2fa7d6f77abe70a52f231780

    Download Submit

  • C:\Users\Admin\AppData\Roaming\cilent-bulit\cilent-bulit.exe
    Filesize

    3.1MB

    MD5

    86bd4496eab8ed85c7806bbe8b4faeff

    SHA1

    93908110af4954cda171542785bf17c0203077f5

    SHA256

    a9704b9ec835390fe47e215aa4928bed85698818c5de90ad11e1bc61de12fff1

    SHA512

    53d49ada84dc2c712805beb18e00b10eb1d730ca9d02dc559b8c0594452eb2ac64af719cb26ec9b8cc4486969078e4640138a5be295f7e968fef2db4c08b1214

    Download Submit

  • memory/2636-0-0x000007FEF4EB3000-0x000007FEF4EB4000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-1-0x00000000013C0000-0x00000000016E4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2636-2-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2636-8-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2776-9-0x0000000001040000-0x0000000001364000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2776-10-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2776-11-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2776-12-0x000007FEF4EB0000-0x000007FEF589C000-memory.dmp

    Filesize

    9.9MB

    Download