Overview

overview

10

Static

static

10

Client-built.exe

windows10-ltsc 2021-x64

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    10-12-2024 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    3da9b1a1a9bc8d62b14a16f61d9b0d79

  • SHA1

    7a83070e35994f8ec7afed51577df75ba1bbfdb0

  • SHA256

    57da36748503ef806ae7bc812dc416dea9d97747dc50749d61fa7f835b85db1e

  • SHA512

    e83e0742c0ec0da2be36ecf81072891ba4e4f22f5f8fb10d73534250db63c8233678c0c0d1980960f4f05997476da1135e0427270c512f7c5f8e848263004a03

  • SSDEEP

    49152:DvnI22SsaNYfdPBldt698dBcjHU9RJ6ibR3LoGdJTHHB72eh2NT:DvI22SsaNYfdPBldt6+dBcjHU9RJ6c

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.41:4782

Mutex

68c72d56-7c01-4752-8b16-99645c1898fc

Attributes
  • encryption_key

    6A865538EA2172CEA230F0158FFB3F9E7FC36141

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3360
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1932

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    3da9b1a1a9bc8d62b14a16f61d9b0d79

    SHA1

    7a83070e35994f8ec7afed51577df75ba1bbfdb0

    SHA256

    57da36748503ef806ae7bc812dc416dea9d97747dc50749d61fa7f835b85db1e

    SHA512

    e83e0742c0ec0da2be36ecf81072891ba4e4f22f5f8fb10d73534250db63c8233678c0c0d1980960f4f05997476da1135e0427270c512f7c5f8e848263004a03

    Download Submit

  • memory/1932-6-0x00007FFF5E8B0000-0x00007FFF5F372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1932-7-0x00007FFF5E8B0000-0x00007FFF5F372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1932-8-0x000000001E430000-0x000000001E480000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1932-9-0x000000001E540000-0x000000001E5F2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1932-10-0x00007FFF5E8B0000-0x00007FFF5F372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-0-0x00007FFF5E8B3000-0x00007FFF5E8B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3360-1-0x00000000006A0000-0x00000000009C4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/3360-2-0x00007FFF5E8B0000-0x00007FFF5F372000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3360-5-0x00007FFF5E8B0000-0x00007FFF5F372000-memory.dmp

    Filesize

    10.8MB

    Download