Analysis

  • max time kernel
    96s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/12/2024, 07:23 UTC

General

  • Target

    Client-built.exe

  • Size

    348KB

  • MD5

    e8ecdeb99f70e49718a4fc9986f86df3

  • SHA1

    4f50bde0200a60dfe74a957a4f927e5648e2e78f

  • SHA256

    d0030ab6b4ed701eca6cad94f123517f564edb6a17ca33cbe6415cea10ac1401

  • SHA512

    f04bbab81c20eb22315914d20fa3d34761e0821592189b12c8821b311a3056f9c767bfc57eb41403c55a5eeb0cef50575686c1766ccfb164c5bb1892637c37ba

  • SSDEEP

    6144:SRNHXf500Mr7ULWRbNlPyDg+Rve9cc6i0pzci:Kd50xUxs+RWGcdOzci

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Test

C2

5.tcp.eu.ngrok.io:13432

5.tcp.eu.ngrok.io:8080

Mutex

QSR_MUTEX_zDi3X3iiANcUc0nFPZ

Attributes
  • encryption_key

    10b0G4xQi1VrldATZzJ7

  • install_name

    win.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Windows Runtime

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:432
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Client-built.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2944
    • C:\Windows\SysWOW64\SubDir\win.exe
      "C:\Windows\SysWOW64\SubDir\win.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2360
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "Windows Runtime" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\win.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3408

Network

  • flag-us
    DNS
    97.17.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    97.17.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    136.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    136.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ip-api.com
    win.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/json/
    Client-built.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 13 Dec 2024 07:24:12 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    1.112.95.208.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.112.95.208.in-addr.arpa
    IN PTR
    Response
    1.112.95.208.in-addr.arpa
    IN PTR
    ip-apicom
  • flag-us
    GET
    http://ip-api.com/json/
    win.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /json/ HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Fri, 13 Dec 2024 07:24:14 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 291
    Access-Control-Allow-Origin: *
    X-Ttl: 60
    X-Rl: 44
  • flag-us
    DNS
    5.tcp.eu.ngrok.io
    win.exe
    Remote address:
    8.8.8.8:53
    Request
    5.tcp.eu.ngrok.io
    IN A
    Response
    5.tcp.eu.ngrok.io
    IN A
    18.158.58.205
  • flag-us
    DNS
    205.58.158.18.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    205.58.158.18.in-addr.arpa
    IN PTR
    Response
    205.58.158.18.in-addr.arpa
    IN PTR
    ec2-18-158-58-205 eu-central-1compute amazonawscom
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    5.tcp.eu.ngrok.io
    win.exe
    Remote address:
    8.8.8.8:53
    Request
    5.tcp.eu.ngrok.io
    IN A
    Response
    5.tcp.eu.ngrok.io
    IN A
    3.64.4.198
  • flag-us
    DNS
    5.tcp.eu.ngrok.io
    win.exe
    Remote address:
    8.8.8.8:53
    Request
    5.tcp.eu.ngrok.io
    IN A
    Response
    5.tcp.eu.ngrok.io
    IN A
    3.64.4.198
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.4.64.3.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.4.64.3.in-addr.arpa
    IN PTR
    Response
    198.4.64.3.in-addr.arpa
    IN PTR
    ec2-3-64-4-198 eu-central-1compute amazonawscom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    Client-built.exe
    374 B
    560 B
    5
    2

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 208.95.112.1:80
    http://ip-api.com/json/
    http
    win.exe
    374 B
    640 B
    5
    4

    HTTP Request

    GET http://ip-api.com/json/

    HTTP Response

    200
  • 18.158.58.205:13432
    5.tcp.eu.ngrok.io
    win.exe
    190 B
    132 B
    4
    3
  • 18.158.58.205:8080
    5.tcp.eu.ngrok.io
    win.exe
    260 B
    5
  • 18.158.58.205:13432
    5.tcp.eu.ngrok.io
    win.exe
    190 B
    132 B
    4
    3
  • 3.64.4.198:8080
    5.tcp.eu.ngrok.io
    win.exe
    260 B
    5
  • 3.64.4.198:13432
    5.tcp.eu.ngrok.io
    win.exe
    734 B
    584 B
    11
    10
  • 8.8.8.8:53
    97.17.167.52.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    97.17.167.52.in-addr.arpa

  • 8.8.8.8:53
    136.32.126.40.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    136.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    win.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    1.112.95.208.in-addr.arpa
    dns
    71 B
    95 B
    1
    1

    DNS Request

    1.112.95.208.in-addr.arpa

  • 8.8.8.8:53
    5.tcp.eu.ngrok.io
    dns
    win.exe
    63 B
    79 B
    1
    1

    DNS Request

    5.tcp.eu.ngrok.io

    DNS Response

    18.158.58.205

  • 8.8.8.8:53
    205.58.158.18.in-addr.arpa
    dns
    72 B
    138 B
    1
    1

    DNS Request

    205.58.158.18.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    5.tcp.eu.ngrok.io
    dns
    win.exe
    63 B
    79 B
    1
    1

    DNS Request

    5.tcp.eu.ngrok.io

    DNS Response

    3.64.4.198

  • 8.8.8.8:53
    5.tcp.eu.ngrok.io
    dns
    win.exe
    63 B
    79 B
    1
    1

    DNS Request

    5.tcp.eu.ngrok.io

    DNS Response

    3.64.4.198

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    198.4.64.3.in-addr.arpa
    dns
    69 B
    132 B
    1
    1

    DNS Request

    198.4.64.3.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SubDir\win.exe

    Filesize

    348KB

    MD5

    e8ecdeb99f70e49718a4fc9986f86df3

    SHA1

    4f50bde0200a60dfe74a957a4f927e5648e2e78f

    SHA256

    d0030ab6b4ed701eca6cad94f123517f564edb6a17ca33cbe6415cea10ac1401

    SHA512

    f04bbab81c20eb22315914d20fa3d34761e0821592189b12c8821b311a3056f9c767bfc57eb41403c55a5eeb0cef50575686c1766ccfb164c5bb1892637c37ba

  • memory/432-6-0x0000000005530000-0x0000000005542000-memory.dmp

    Filesize

    72KB

  • memory/432-2-0x0000000005570000-0x0000000005B14000-memory.dmp

    Filesize

    5.6MB

  • memory/432-3-0x0000000005060000-0x00000000050F2000-memory.dmp

    Filesize

    584KB

  • memory/432-4-0x00000000749D0000-0x0000000075180000-memory.dmp

    Filesize

    7.7MB

  • memory/432-5-0x0000000005160000-0x00000000051C6000-memory.dmp

    Filesize

    408KB

  • memory/432-0-0x00000000749DE000-0x00000000749DF000-memory.dmp

    Filesize

    4KB

  • memory/432-7-0x0000000006220000-0x000000000625C000-memory.dmp

    Filesize

    240KB

  • memory/432-1-0x0000000000570000-0x00000000005CE000-memory.dmp

    Filesize

    376KB

  • memory/432-13-0x00000000749D0000-0x0000000075180000-memory.dmp

    Filesize

    7.7MB

  • memory/2360-14-0x00000000749D0000-0x0000000075180000-memory.dmp

    Filesize

    7.7MB

  • memory/2360-15-0x00000000749D0000-0x0000000075180000-memory.dmp

    Filesize

    7.7MB

  • memory/2360-17-0x0000000006820000-0x000000000682A000-memory.dmp

    Filesize

    40KB

  • memory/2360-18-0x00000000749D0000-0x0000000075180000-memory.dmp

    Filesize

    7.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.