Overview

overview

10

Static

static

5

E709905AC5...48.exe

windows7-x64

10

E709905AC5...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 14:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    E709905AC50A6290AEDA38C57E7F0048.exe

  • Size

    3.6MB

  • MD5

    e709905ac50a6290aeda38c57e7f0048

  • SHA1

    2d8760824802df5548a5e5d10ebec8ebd3851787

  • SHA256

    080ac006965a05b5bf6acab5ac6cb8cb7f5b6035883e723b5f3f845e54d90f4c

  • SHA512

    f55d5dd13ae515bb315d982e65ab1db378119957a8cc028b95b441a967770ebb5555dd61c30f51037d45560dc3091235196ffb191daee1620e5ba42d7cd5e353

  • SSDEEP

    98304:ezdmPt6BByvuntOoqGYm8wBnPyYEKplZiD5zbjL:ezwkjyGZjBnPLxZiD5bL

Score
10/10
quasarplmsodiscoveryspywaretrojanupx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Plmso

C2

110.42.3.134:4782

Mutex

41ace1c3-9f4e-4d35-93fb-096ede244c3e

Attributes
  • encryption_key

    980DB384AAAF5B8591D5B450BFA39547F61611DC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\E709905AC50A6290AEDA38C57E7F0048.exe
    "C:\Users\Admin\AppData\Local\Temp\E709905AC50A6290AEDA38C57E7F0048.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe"
      2⤵
      • Executes dropped EXE
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2832
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2780
      • C:\Windows\system32\SubDir\Client.exe
        "C:\Windows\system32\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2732
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Temp\Client-built.exe
    Filesize

    3.1MB

    MD5

    14cd7678d01abbc0e1015b8e1964e0e7

    SHA1

    c2c49bab56fa40e73cde621beeb03d55ffaff4c3

    SHA256

    d7c718649ad7fa5597fcd0a68061e47443b90cd1aeca057eed5b7d353ebaf6d6

    SHA512

    3279ade847f145564531f571a07a13b46f6366e9beb50eed520054eecf55d71ae10146a4029199654b681e16924e25fe31546901fbcc3222c1f4fcd9fa7db5fc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Temp\MHClient-PLMSO.exe
    Filesize

    7.4MB

    MD5

    2b28610e1506469dbe52a6b47ea29976

    SHA1

    d0fa7a8f0b4a74cddb89b605b953f962e1f652e9

    SHA256

    442722239c667f15c27edfe601350bfde833af2e20e169cba0df8dfd062cec5a

    SHA512

    a1b44293fe271955f11923e5f39ecc945057b03479e3ee4ef824dbc2b48774e23bfff10dbb0cdd3e8ce4e7e4286767ab5bbe355b64d0187a8449982ffd4ab48b

    Download Submit

  • memory/2196-0-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2196-9-0x0000000002C70000-0x00000000033CE000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2196-16-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2672-10-0x0000000000400000-0x0000000000B5E000-memory.dmp

    Filesize

    7.4MB

    Download

  • memory/2732-24-0x0000000000CC0000-0x0000000000FE4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2832-17-0x000007FEF6473000-0x000007FEF6474000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2832-18-0x0000000000D80000-0x00000000010A4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2832-19-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2832-25-0x000007FEF6470000-0x000007FEF6E5C000-memory.dmp

    Filesize

    9.9MB

    Download