Analysis Overview
SHA256
e79f1f7a293b811cf4de8077a3988c22a726204abdfb2866ba67500e53442f82
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
Quasar family
Quasar payload
Quasar RAT
Checks computer location settings
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Runs ping.exe
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-13 17:06
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-13 17:06
Reported
2024-12-13 17:08
Platform
win7-20241010-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
Files
memory/1764-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp
memory/1764-1-0x00000000002B0000-0x00000000005D4000-memory.dmp
memory/1764-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp
memory/1764-3-0x000007FEF5833000-0x000007FEF5834000-memory.dmp
memory/1764-4-0x000007FEF5830000-0x000007FEF621C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-13 17:06
Reported
2024-12-13 17:08
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
95s
Command Line
Signatures
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3388 wrote to memory of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\cmd.exe |
| PID 3388 wrote to memory of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | C:\Windows\system32\cmd.exe |
| PID 3676 wrote to memory of 396 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 3676 wrote to memory of 396 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\chcp.com |
| PID 3676 wrote to memory of 3224 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
| PID 3676 wrote to memory of 3224 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\PING.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sDxtpd7ik8f0.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | Waix-40247.portmap.host | udp |
| DE | 193.161.193.99:40247 | Waix-40247.portmap.host | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipwho.is | udp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.57.201.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
memory/3388-0-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp
memory/3388-1-0x00000000006D0000-0x00000000009F4000-memory.dmp
memory/3388-2-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp
memory/3388-3-0x000000001D960000-0x000000001D9B0000-memory.dmp
memory/3388-4-0x000000001DA70000-0x000000001DB22000-memory.dmp
memory/3388-7-0x000000001D9B0000-0x000000001D9C2000-memory.dmp
memory/3388-8-0x000000001DA10000-0x000000001DA4C000-memory.dmp
memory/3388-9-0x00007FF9A05F3000-0x00007FF9A05F5000-memory.dmp
memory/3388-10-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp
memory/3388-15-0x00007FF9A05F0000-0x00007FF9A10B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sDxtpd7ik8f0.bat
| MD5 | 1989b6c868ccadbee805728f9a16a01d |
| SHA1 | e24d525034dc10e99b2b9dfda1bc568d8c26b8bd |
| SHA256 | 18c7cfb19e500d6aa1cee8c7d69a8946ffc52dec94e8d0c4f944fcae86cab377 |
| SHA512 | 45111a04d6310bcee58f0e9d1a35e81c34b632accffe21b955abd09cf1ad30ce1803276cd7d2012b934574b1be93bf904de1a10bb02b20363a044939ffbcb7cb |