Overview

overview

10

Static

static

10

R5ALE_Clie...lt.exe

windows7-x64

10

R5ALE_Clie...lt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 15:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    R5ALE_Client-built.exe

  • Size

    3.1MB

  • MD5

    cafaa2094366a156294df6341237e491

  • SHA1

    49868d99bb2252ce9911f8b6c94015cd87f24b01

  • SHA256

    9d7cd0429734cb72bc0205287461e459c51cee40f34e5e54513da2315bf8e84a

  • SHA512

    be176c9d7080b522c8a5dc9d219d47ee71ef507473348825073928142b9e9175287140fce137a5fc16d4d5ec0eb96bcc26bbeacf86dd328f9b5492f66b6af675

  • SSDEEP

    49152:zvbI22SsaNYfdPBldt698dBcjHKVE7uo+vJgBoGdBTHHB72eh2NT:zvk22SsaNYfdPBldt6+dBcjHqoj

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

Waix-40247.portmap.host:40247

Mutex

9d84e220-c4b7-4f5c-b179-163c03154a8f

Attributes
  • encryption_key

    B963B2000CDCB4E83B2966F1E1C703720463EE18

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbNc9mWpgeeG.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:820
        • C:\Windows\system32\PING.EXE
          ping -n 10 localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1904
        • C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
          "C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:3576
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwBKW4FiQkR0.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3928
            • C:\Windows\system32\chcp.com
              chcp 65001
              5⤵
                PID:3096
              • C:\Windows\system32\PING.EXE
                ping -n 10 localhost
                5⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4692
              • C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
                "C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                PID:4620

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\R5ALE_Client-built.exe.log
        Filesize

        2KB

        MD5

        8f0271a63446aef01cf2bfc7b7c7976b

        SHA1

        b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7

        SHA256

        da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c

        SHA512

        78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\dwBKW4FiQkR0.bat
        Filesize

        215B

        MD5

        008769ed9b97f6d8fbd28c5d00fc2234

        SHA1

        3cf2f358ad7dbcd5e5c63502eefb79ae0561e8c6

        SHA256

        3d299071bb0394cef8551170856045870cd1b375301ffe15d738edf730b4f167

        SHA512

        7cff15b72a6aba694cd3135557423d06fb951e9ce0c433f76ed4f8d22419d8b9ce90630cef0dd5616474da2bb1e72344d7b92677363271c443dd41ce2fb1422f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vbNc9mWpgeeG.bat
        Filesize

        215B

        MD5

        96cc09f70f2ef35be5b8373dea23bd65

        SHA1

        a19fde94f53394b17b92b6b0715af6c15d08d89b

        SHA256

        5cfdb367f97c085c77b0d97f9a0176302a2f2808e6a74ccf12c72c858f2fe929

        SHA512

        2b85fdea3e7c3d4be170dbdfe83ba64e62be4c6cdaf3692c6f94e3e19dd45d84acb65fe4d342f53a77f33b38c5a20a683c78cee3cba7f094d69199d952e38534

        Download Submit

      • memory/1996-3-0x000000001D870000-0x000000001D8C0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/1996-4-0x000000001D980000-0x000000001DA32000-memory.dmp

        Filesize

        712KB

        Download

      • memory/1996-5-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1996-6-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1996-11-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1996-0-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1996-2-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1996-1-0x00000000005E0000-0x0000000000904000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3576-14-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3576-15-0x00007FFC0F563000-0x00007FFC0F565000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3576-16-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3576-20-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp

        Filesize

        10.8MB

        Download