Analysis Overview
SHA256
9d7cd0429734cb72bc0205287461e459c51cee40f34e5e54513da2315bf8e84a
Threat Level: Known bad
The file R5ALE_Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Checks computer location settings
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Enumerates physical storage devices
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 15:14
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 15:14
Reported
2024-12-13 15:17
Platform
win7-20241023-en
Max time kernel
128s
Max time network
138s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
Files
memory/1740-0-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp
memory/1740-1-0x00000000000F0000-0x0000000000414000-memory.dmp
memory/1740-2-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
memory/1740-3-0x000007FEF5A93000-0x000007FEF5A94000-memory.dmp
memory/1740-4-0x000007FEF5A90000-0x000007FEF647C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 15:14
Reported
2024-12-13 15:17
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vbNc9mWpgeeG.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwBKW4FiQkR0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
Files
memory/1996-0-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp
memory/1996-1-0x00000000005E0000-0x0000000000904000-memory.dmp
memory/1996-2-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp
memory/1996-3-0x000000001D870000-0x000000001D8C0000-memory.dmp
memory/1996-4-0x000000001D980000-0x000000001DA32000-memory.dmp
memory/1996-5-0x00007FFC0F4F3000-0x00007FFC0F4F5000-memory.dmp
memory/1996-6-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp
memory/1996-11-0x00007FFC0F4F0000-0x00007FFC0FFB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vbNc9mWpgeeG.bat
| MD5 | 96cc09f70f2ef35be5b8373dea23bd65 |
| SHA1 | a19fde94f53394b17b92b6b0715af6c15d08d89b |
| SHA256 | 5cfdb367f97c085c77b0d97f9a0176302a2f2808e6a74ccf12c72c858f2fe929 |
| SHA512 | 2b85fdea3e7c3d4be170dbdfe83ba64e62be4c6cdaf3692c6f94e3e19dd45d84acb65fe4d342f53a77f33b38c5a20a683c78cee3cba7f094d69199d952e38534 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\R5ALE_Client-built.exe.log
| MD5 | 8f0271a63446aef01cf2bfc7b7c7976b |
| SHA1 | b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7 |
| SHA256 | da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c |
| SHA512 | 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5 |
memory/3576-14-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp
memory/3576-15-0x00007FFC0F563000-0x00007FFC0F565000-memory.dmp
memory/3576-16-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp
memory/3576-20-0x00007FFC0F560000-0x00007FFC10021000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dwBKW4FiQkR0.bat
| MD5 | 008769ed9b97f6d8fbd28c5d00fc2234 |
| SHA1 | 3cf2f358ad7dbcd5e5c63502eefb79ae0561e8c6 |
| SHA256 | 3d299071bb0394cef8551170856045870cd1b375301ffe15d738edf730b4f167 |
| SHA512 | 7cff15b72a6aba694cd3135557423d06fb951e9ce0c433f76ed4f8d22419d8b9ce90630cef0dd5616474da2bb1e72344d7b92677363271c443dd41ce2fb1422f |