Analysis Overview
SHA256
9d7cd0429734cb72bc0205287461e459c51cee40f34e5e54513da2315bf8e84a
Threat Level: Known bad
The file R5ALE_Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar RAT
Quasar payload
Unsigned PE
Enumerates physical storage devices
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 15:32
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 15:32
Reported
2024-12-13 15:35
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\R5ALE_Client-built.exe"
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\DisconnectGet.pptm" /ou ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 28.173.189.20.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
Files
memory/1376-0-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp
memory/1376-1-0x0000000000310000-0x0000000000634000-memory.dmp
memory/1376-2-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp
memory/1376-3-0x000000001D3A0000-0x000000001D3F0000-memory.dmp
memory/1376-4-0x000000001D4B0000-0x000000001D562000-memory.dmp
memory/1376-5-0x00007FFB308F3000-0x00007FFB308F5000-memory.dmp
memory/1376-6-0x00007FFB308F0000-0x00007FFB313B1000-memory.dmp
memory/1588-7-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-9-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-10-0x00007FFB4EA0D000-0x00007FFB4EA0E000-memory.dmp
memory/1588-11-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-12-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-8-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-14-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-13-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-17-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-19-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-20-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-18-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-21-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-22-0x00007FFB0C8F0000-0x00007FFB0C900000-memory.dmp
memory/1588-16-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-15-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-23-0x00007FFB0C8F0000-0x00007FFB0C900000-memory.dmp
memory/1588-44-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-46-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-45-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-52-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-54-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-53-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-51-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-50-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-55-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-56-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp
memory/1588-58-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-60-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-59-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-57-0x00007FFB0E9F0000-0x00007FFB0EA00000-memory.dmp
memory/1588-61-0x00007FFB4E970000-0x00007FFB4EB65000-memory.dmp