Analysis
-
max time kernel
298s -
max time network
298s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
11-12-2024 05:03
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
3c7795d8fefe0d42a3313ebb51a758df
-
SHA1
9b035f6f7382b7b3679587f6f3321453a11c2b96
-
SHA256
447529784d832ce5ae8cb18a8ff2ccb62927dc77f5fdd012c4d889b6e75178ac
-
SHA512
915db2a5e693d99a671dee0f16e3361452bb7fecb496d871c2382c08f245e1a43d8fe3f2c26b949595e9bcefa63b52f9b6aaaf3a9181ff6e8f804ee3eddd1e7f
-
SSDEEP
49152:uvnI22SsaNYfdPBldt698dBcjHjuQ6k2MuYk/GLoGd65THHB72eh2NT:uvI22SsaNYfdPBldt6+dBcjHyQ60q
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.0.112:4782
8878a190-04d1-47d5-8e2a-347d2e7ad6ef
-
encryption_key
E977E81CC751295D2543CD279B3FB4FA6DD002E1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD53c7795d8fefe0d42a3313ebb51a758df
SHA19b035f6f7382b7b3679587f6f3321453a11c2b96
SHA256447529784d832ce5ae8cb18a8ff2ccb62927dc77f5fdd012c4d889b6e75178ac
SHA512915db2a5e693d99a671dee0f16e3361452bb7fecb496d871c2382c08f245e1a43d8fe3f2c26b949595e9bcefa63b52f9b6aaaf3a9181ff6e8f804ee3eddd1e7f
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB