Overview

overview

10

Static

static

10

rat2.0.exe

windows7-x64

10

rat2.0.exe

windows10-2004-x64

10

Resubmissions

13-12-2024 13:56

241213-q82eeszqgw 10

13-12-2024 13:53

241213-q7e5sszqdt 10

Analysis

  • max time kernel
    149s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13-12-2024 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rat2.0.exe

  • Size

    3.1MB

  • MD5

    0ec9d66f466763887c3d957ef04a601a

  • SHA1

    4f3bd499508c12c1d15142db4ccb3633d4a563f9

  • SHA256

    ca6205581da131085d4fd448d7a6cb47627ebf0eeeb7e42d7c1047d18631c9b0

  • SHA512

    ffcaf78789c63171473cd0d173875bf83860be15505181f431ef8557e6509af78130a1aee8a067e076238028fba229bb442bb738cff9401bdb8d204bc24bd13d

  • SSDEEP

    49152:LvTlL26AaNeWgPhlmVqvMQ7XSKZF/jBxgLoGdFHTHHB72eh2NT:LvJL26AaNeWgPhlmVqkQ7XSKz/u

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.56.1:4782

192.168.42.36:4782
Mutex

a2375055-d323-4f14-953b-13f74ff9f85a

Attributes
  • encryption_key

    36B9F39EDDE38B2DC6E38AA9208FBAD7687FDB50

  • install_name

    Pygame.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rat2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\rat2.0.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Program Files\SubDir\Pygame.exe
      "C:\Program Files\SubDir\Pygame.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2408
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2836

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\SubDir\Pygame.exe
      Filesize

      3.1MB

      MD5

      0ec9d66f466763887c3d957ef04a601a

      SHA1

      4f3bd499508c12c1d15142db4ccb3633d4a563f9

      SHA256

      ca6205581da131085d4fd448d7a6cb47627ebf0eeeb7e42d7c1047d18631c9b0

      SHA512

      ffcaf78789c63171473cd0d173875bf83860be15505181f431ef8557e6509af78130a1aee8a067e076238028fba229bb442bb738cff9401bdb8d204bc24bd13d

      Download Submit

    • memory/2176-0-0x000007FEF5B43000-0x000007FEF5B44000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2176-1-0x0000000000200000-0x0000000000524000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2176-2-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2176-8-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2408-10-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2408-9-0x0000000001090000-0x00000000013B4000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/2408-11-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2408-12-0x000007FEF5B40000-0x000007FEF652C000-memory.dmp

      Filesize

      9.9MB

      Download