Analysis
-
max time kernel
316s -
max time network
317s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
11-12-2024 01:38
Errors
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
b08447d3d65d6378339c7a9836c53b32
-
SHA1
6b15e2cfa3080b825aa0c9e84649d9ba1bcbfc7c
-
SHA256
d52810d59dcc0f3c448941207cd1c62ebcf7c096613db2422179e2a0d1e6f6d8
-
SHA512
a1a49c87c99d5ea0b506d43e855e4abd32d77108636d1d488e8acef0aa24c74e8352f7a034f12e7f32b09674be8d7a88af245905533123bc7f363f9a99db2f09
-
SSDEEP
49152:bvylL26AaNeWgPhlmVqvMQ7XSKsCm1JTLoGdiTHHB72eh2NT:bvqL26AaNeWgPhlmVqkQ7XSKsC2
Malware Config
Extracted
quasar
1.4.1
tutorial
FartGaming-22249.portmap.host:22249
4d1902df-e7f6-4600-8451-58c97c590990
-
encryption_key
4806609BA25461872268CE64CAE8C71D1E7E632F
-
install_name
TmpSpoofer.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Temp HWID Spoofer
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 1 IoCs
-
Drops file in Windows directory 64 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies data under HKEY_USERS 15 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 19 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 46 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Temp HWID Spoofer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\TmpSpoofer.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\TmpSpoofer.exe"C:\Users\Admin\AppData\Roaming\SubDir\TmpSpoofer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Temp HWID Spoofer" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\TmpSpoofer.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\UnlockCheckpoint.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\StepNew.mpa"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\RegisterConfirm.mp3"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3943855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
110KB
MD564b1d4d6bee9bbd1ace10ee71061c9d3
SHA15c8b91fcfa15a879e20e4780dcdcaefc908ee113
SHA256eb1ff14340a02c1acf48041c57250c9d50e81f63793aec1d3caa576844e91e00
SHA512959e4d7fe61062c97c239225e539569848fb6bc16f3e8233854b0b28fe79937cb7499ef02ea717e67d3b249cc4c36b42bd008aa780da4bcff3571f8f5f680fc9
-
Filesize
749B
MD513bf958a6bd3cfdf95d9fdc3d126a94c
SHA194fe39be1b1caa600d5f0a858850d33c9eb2a229
SHA256d5e42b77cacfae520b80850c4a7fd0dd615708182df816ffd8bbadd61eafe814
SHA512249f1598b9ce4748d0a96ed88526a3d4c8cf774325d19f2472eb373362b1895f20f985b6e9d99b76bd3622d0f05c987da1d28288b3a0917603e10fad2bdaa310
-
Filesize
3.1MB
MD5b08447d3d65d6378339c7a9836c53b32
SHA16b15e2cfa3080b825aa0c9e84649d9ba1bcbfc7c
SHA256d52810d59dcc0f3c448941207cd1c62ebcf7c096613db2422179e2a0d1e6f6d8
SHA512a1a49c87c99d5ea0b506d43e855e4abd32d77108636d1d488e8acef0aa24c74e8352f7a034f12e7f32b09674be8d7a88af245905533123bc7f363f9a99db2f09
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
629B
MD579a285a17e6fc3c1ead84fbb9d45c88a
SHA1bcf0752f36b5b51da646edbad17a1f541bf8c4b9
SHA2562855d80d0f11f8a067e934c9977164b2fdd334b789c51ccde5df69414b2cd70a
SHA512502c290dd1d0797986536b3d623e42f47b476ded05bf83139e0d3fe568f3396c6abbac2ba0176e888e973e534c2c5884097e2e14213f5562a4a2a712ffb6a463
-
Filesize
75B
MD560cb281925f8be96dbc6e0a82da14f71
SHA11ee372ab2873c625cf96f53e4e458e86f22d14ed
SHA2565dcef88469818dca6e5be4d100a1e85039c07e148cb54766918da1046908a2fa
SHA512a2c43f8c8421f56612fb2c9519f3092782b640fc7750a729dea49161690c0c1ee28ee97a6c190b4f726fdb276b6212a2ec67a9b84c31601401dd7f96e1a3cee3
-
Filesize
529B
MD54e0b224f8a79d928c0555dad46ff56c3
SHA114ba199edefea9869e460ecf4de89233ea32071f
SHA25641fb15ffcaf96ae01ff3950dcd0d5329a3be6b96fc23244b410e0abedf406466
SHA5129de685fe37d810b85a0569efdf8b90ae94134ffa6fa991f1cf6dd95f4f30ef0e82dc70a6731c68d02b7de6f3f2df112a9d0f23b8ac5658659332f9a4a5dc2c8f
-
Filesize
18B
MD5edc866c37059e3fc9f6d24fac2f59314
SHA1971dfeb8be96caac0767cfa4306faa19c158da1b
SHA2561a70f3e90a4f9ac73a01f1aed8bdd8da96174532ae0bf2bada4652a5c86a74ef
SHA512706dcf745fc74df6f266d4e61f8b058932645be25da98c0b127f5a42a891fed53ea6ffe0621441e02f3e1e846570923954359e03ef8d8c9a444329b4db6b5dd5
-
Filesize
94KB
MD57b37c4f352a44c8246bf685258f75045
SHA1817dacb245334f10de0297e69c98b4c9470f083e
SHA256ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e
SHA5121e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02
-
Filesize
7KB
MD5766ad647f61930099ff6681f2be9cecf
SHA1ffa385e185a8a5193560571cbb4c4f7b3de2c712
SHA256cdad48a4ab8a07989263d64314069c3e7aa3e5cde5f739ad0ae3bef82cbe7f8e
SHA512bae9288365942b7a922345186c42d06fb38500949520b561dec45016a513ac90b3df1f4b98f22e7f9cc0435316cce7f51441dea9a0976fc207fa2de574de1437
-
Filesize
106B
MD5786fa08ac8d8716f85adc32992010a32
SHA1bd53c3728c269dd1e3555c77e622eb98d97468c4
SHA256a96348fb74268c4c397ecb3fa93908f6400f5232554169aafe4ee08ea6abd1a6
SHA5129ced7859bb4a2eb3c28b6957ec952ef6dee2c8193e03e9c0e9619205bf3bca2c67344e9e4b0d54657076e33c0425de0133cd7291d49be076b4c1b5d68feb8ca0
-
Filesize
43B
MD59b0540c4fedc6d6b624cb0a52314eaf1
SHA1d168e4c1cae564ba902c956590f666460455d345
SHA25648347bb510b5abbb5863dc6d7aca4f1d4fa9093be17229b9dd5a67f814a13db9
SHA512c0e520145f73cf57658b1c1da79ecf66f003abd1b0edd3c37aa107367fa8e71e586a413d02d9b647e5485683156655961f027bc99b9956a511edfd7787903def
-
Filesize
66KB
MD53c08dea20e350ea34f7309e856576428
SHA1d7a048ccc07b4d16afc4d778d5601a067fb151b9
SHA256b7bbc3f2463000f52eadcce2e262512dc79bbbb3355c62c734f18db57e0fba82
SHA5121c1cdd554cbf98dcb7358808cfa2682bd09a596e24a3708ab73e379e5f8ae7dc394b8e88824589327e2f67487ca19dacba9e3288993e2e92463dc32aaef67f9d
-
Filesize
9KB
MD54f157b5055b21ae34028756156c332f4
SHA1d9c1427ea79fcfb6187b32f206ff796c539e6f67
SHA25635d66d80352ea77ddab275e0656bb5870bed7b7d60db2e6dc6d7626f63eceb7d
SHA5125afd347c51f1176b9d2b7e98d2748e14a1c52751c1734e5b2c753a45c9b1e0f032aa0f4277cdb02712e29cf47b4d01a95d3677e854d936391f82ea13c362d71b
-
Filesize
13KB
MD545600d6186bc6fea48067c4cc027acf8
SHA1495caea41e87eda5c619daedbf37b6315b503ee4
SHA256ee8791a84c488520143851d650ff6472cc9a9cc0728da92f70c0cb2ef14985f0
SHA51298df46c3a86e53a008f7d840a289544c9338acb4e4513ac5b21dabadddf0384c7c5cef8cfb64bc7ee62e59cd2f9b70e19cb32e06846103f18dd50e5393ef8208
-
Filesize
1KB
MD5449670bb59d68ec2194dcce450a00dd8
SHA188e9800753dfa3720c9a2e6405cc61d2073f2e9e
SHA2564ee84be94629f73ef356cec34b34a7a7d87b1e3212dd7beb55602964b9c095c7
SHA512a242253d02159dc0696735f6171107eeda3fc728f5b903f7d9ebc7e4c439f254b122521ebbf79f54c878b6ae2cb075df4bb825c0e6550b0eb10c8561682c3bc2
-
Filesize
2.7MB
-
Filesize
16.7MB
-
Filesize
208KB
-
Filesize
992KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
3.1MB
-
Filesize
8KB
-
Filesize
2.0MB
-
Filesize
1.1MB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
260KB
-
Filesize
108KB
-
Filesize
92KB
-
Filesize
96KB
-
Filesize
2.7MB
-
Filesize
208KB
-
Filesize
68KB
-
Filesize
96KB
-
Filesize
68KB
-
Filesize
2.7MB
-
Filesize
992KB
-
Filesize
208KB
-
Filesize
192KB
-
Filesize
412KB
-
Filesize
496KB
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
1.1MB
-
Filesize
92KB
-
Filesize
68KB
-
Filesize
132KB
-
Filesize
68KB
-
Filesize
992KB