Analysis
-
max time kernel
149s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
08-12-2024 10:23
General
-
Target
Installer.exe
-
Size
3.1MB
-
MD5
2a7c50b498cf2eee0087b6de22b4418e
-
SHA1
6b4bece2654caa22ef1971ee741a8171dddb235f
-
SHA256
0b77aec2b160e1f0923ff76418957b6c8fd5a7fde0b05a646ea7f490d38952fa
-
SHA512
75c6c5557cc64afef8d2ac00b2e5311150db7eb116f18d938bcf7f9eaaeb7eb6d9f8154c65e37aa491ff2da93ae0b2fc1fcc9603008c894a6985908750a6f279
-
SSDEEP
49152:yvyI22SsaNYfdPBldt698dBcjHUhO9Z22pjk/ZLoGd9THHB72eh2NT:yvf22SsaNYfdPBldt6+dBcjHsO9k
Malware Config
Extracted
quasar
1.4.1
Office04
169.254.206.74:4782
b8cc8406-b5a4-4490-93df-e418a88c060c
-
encryption_key
3D90BE0A223C8097DFDC3ED53A2C96D99F6FCD41
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD52a7c50b498cf2eee0087b6de22b4418e
SHA16b4bece2654caa22ef1971ee741a8171dddb235f
SHA2560b77aec2b160e1f0923ff76418957b6c8fd5a7fde0b05a646ea7f490d38952fa
SHA51275c6c5557cc64afef8d2ac00b2e5311150db7eb116f18d938bcf7f9eaaeb7eb6d9f8154c65e37aa491ff2da93ae0b2fc1fcc9603008c894a6985908750a6f279
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB