Malware Analysis Report

2025-04-14 04:54

Sample ID 241213-smkwnatqap
Target R5ALE_Client-built.exe
SHA256 9d7cd0429734cb72bc0205287461e459c51cee40f34e5e54513da2315bf8e84a
Tags
office04 quasar spyware trojan discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d7cd0429734cb72bc0205287461e459c51cee40f34e5e54513da2315bf8e84a

Threat Level: Known bad

The file R5ALE_Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan discovery

Quasar RAT

Quasar family

Quasar payload

Checks computer location settings

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-13 15:14

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-13 15:14

Reported

2024-12-13 15:17

Platform

win7-20241023-en

Max time kernel

128s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Waix-40247.portmap.host udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp

Files

memory/1740-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

memory/1740-1-0x00000000000F0000-0x0000000000414000-memory.dmp

memory/1740-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

memory/1740-3-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp

memory/1740-4-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-13 15:14

Reported

2024-12-13 15:17

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4392 wrote to memory of 820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4392 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4392 wrote to memory of 1904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4392 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
PID 4392 wrote to memory of 3576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
PID 3576 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe C:\Windows\system32\cmd.exe
PID 3576 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe C:\Windows\system32\cmd.exe
PID 3928 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3928 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3928 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3928 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3928 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
PID 3928 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe

Processes

C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbNc9mWpgeeG.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwBKW4FiQkR0.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 Waix-40247.portmap.host udp
US 8.8.8.8:53 Waix-40247.portmap.host udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 Waix-40247.portmap.host udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 193.161.193.99:40247 Waix-40247.portmap.host tcp

Files

memory/1996-0-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp

memory/1996-1-0x00000000005E0000-0x0000000000904000-memory.dmp

memory/1996-2-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

memory/1996-3-0x000000001D870000-0x000000001D8C0000-memory.dmp

memory/1996-4-0x000000001D980000-0x000000001DA32000-memory.dmp

memory/1996-5-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp

memory/1996-6-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

memory/1996-11-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbNc9mWpgeeG.bat

MD5 96cc09f70f2ef35be5b8373dea23bd65
SHA1 a19fde94f53394b17b92b6b0715af6c15d08d89b
SHA256 5cfdb367f97c085c77b0d97f9a0176302a2f2808e6a74ccf12c72c858f2fe929
SHA512 2b85fdea3e7c3d4be170dbdfe83ba64e62be4c6cdaf3692c6f94e3e19dd45d84acb65fe4d342f53a77f33b38c5a20a683c78cee3cba7f094d69199d952e38534

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\R5ALE_Client-built.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/3576-14-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp

memory/3576-15-0x00007FFC0F563000-0x00007FFC0F565000-memory.dmp

memory/3576-16-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp

memory/3576-20-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dwBKW4FiQkR0.bat

MD5 008769ed9b97f6d8fbd28c5d00fc2234
SHA1 3cf2f358ad7dbcd5e5c63502eefb79ae0561e8c6
SHA256 3d299071bb0394cef8551170856045870cd1b375301ffe15d738edf730b4f167
SHA512 7cff15b72a6aba694cd3135557423d06fb951e9ce0c433f76ed4f8d22419d8b9ce90630cef0dd5616474da2bb1e72344d7b92677363271c443dd41ce2fb1422f