Overview

overview

10

Static

static

10

bannas.exe

windows7-x64

10

bannas.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bannas.exe

  • Size

    348KB

  • MD5

    7500a9269a35b159e854312282732728

  • SHA1

    5b3d03a59af9e662f84fb2ab113e6275a9d502af

  • SHA256

    8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9

  • SHA512

    3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f

  • SSDEEP

    6144:wk+zrEsiN1PDA3COn7bblr71T2fJYUzsgNkd:dxsiNczZsf2UzXkd

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781
Mutex

QSR_MUTEX_86QM62MaEKfEyd8OVt

Attributes
  • encryption_key

    zZvCiezIyCBIqqTBUeKo

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    security2

  • subdirectory

    skibidi

Signatures

  • Quasar RAT 4 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bannas.exe
    "C:\Users\Admin\AppData\Local\Temp\bannas.exe"
    1⤵
    • Quasar RAT
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bannas.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2972
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3020
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2812
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\NG8NEsCGN34Y.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2268
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1392
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1832
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2212
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2000
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\nWjITlQVbHsW.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2196
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:904
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2692
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1208
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1280
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\SuoZUTgbBjDb.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2340
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2284
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2388
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1692
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:2904
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 1468
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:2580
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 1428
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:1876
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 1500
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NG8NEsCGN34Y.bat
    Filesize

    203B

    MD5

    29c8f0adc06689fd101b286b0a9c4ee9

    SHA1

    63eec5648937b54d53f9026dd744e580439ff612

    SHA256

    a83e85fa6ab5c76f99841f84b11aa23b9edfdd165a81d7788a67ea187af9910f

    SHA512

    c117c7aa2bcfa9ec8822520277ae9f2debf066336716359486ab6c336f9a606ed578fdf799d9ce1795bfdb3ff52e6940c90f32a03a88e73605e438715b9e39b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SuoZUTgbBjDb.bat
    Filesize

    203B

    MD5

    a3c2a43b17a32238eb7e00a9b9a4b35a

    SHA1

    42dc5e808f08060400a97c24f9e0a7ca096f2730

    SHA256

    11deefdf364148507adf56fd9807801ff65f9713a43fff6926a4d52786dbc033

    SHA512

    f9f554127df7e8cbcbf71278d2e2606d994a885353496ce04bf588f1fe21b8307658dd395ce3ac90ba4c0383ca143b5aae852a9b66011b609a308c0d4995b9d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nWjITlQVbHsW.bat
    Filesize

    203B

    MD5

    577649cf5f007c8c4430ca6fc0983edb

    SHA1

    e405f041fca073c57f95b89d2323ecd33fedb1cc

    SHA256

    fe39ddd043996203f9d5007157530b8006281df46c3f225f3412c867adf63fd9

    SHA512

    63de2d282eeb19766b2e0f7734e7dea4c13d93455053d0cf7fd65a6e1149538aba2734300b5650f0920660bb5b783805515e021efe6bb3591a3e1a5f695d6c3a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logs\12-14-2024
    Filesize

    224B

    MD5

    952c8e552ce2d5aebc00bda66f516ca3

    SHA1

    da70ac6a01bc717621049a7576a0590d077ef5bf

    SHA256

    a49a935c0d36b411767c7460fcb5481c7e4f3e60e623a46eeff5e55496c2cb12

    SHA512

    19df07910dc8ced292545de0ed4520b89543874ec300edc4e5c5a0a2da4f6a75ce936ff6542c8eb28f1bc6df92b036cc211122b185cdc074a8202f39a12a5223

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logs\12-14-2024
    Filesize

    224B

    MD5

    0db817aeb130f6f0ecd06c7807e942be

    SHA1

    e629f8c3b53a2472d6404f7cb8d4a6e57d462c49

    SHA256

    f642e90211d5904a0330f6492cc55c352f4cffe884fc4866650a02f4b1d7918a

    SHA512

    9a07566fcc69bb82c63617a59d85f83e056f1ca8ccea2badb56cf12e032ac5727d150a3179a38320b364715b5a1f83e491a240dc6747684811b4df3010468d03

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logs\12-14-2024
    Filesize

    224B

    MD5

    80adb6d63cee870609c630f90b7e5848

    SHA1

    920a49861b4b810f4cc63f1b2e8a9b32750812b1

    SHA256

    23a675d65b562b3f234081a1771fc9feaa3ccdd77f0befe247643b53207ffac3

    SHA512

    b27409a85910df7e722032c0dab9573c6d82663f8e11961a42ca7582dc931afabba20e63bbd53f7ef641e39f0c6aee800ebd2d2947880289a1e668060c45d1f8

    Download Submit

  • \Program Files (x86)\skibidi\security2.exe
    Filesize

    348KB

    MD5

    7500a9269a35b159e854312282732728

    SHA1

    5b3d03a59af9e662f84fb2ab113e6275a9d502af

    SHA256

    8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9

    SHA512

    3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f

    Download Submit

  • memory/1208-50-0x0000000001330000-0x000000000138E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1692-68-0x0000000000390000-0x00000000003EE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2212-32-0x0000000000BF0000-0x0000000000C4E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2548-13-0x0000000074B10000-0x00000000751FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2548-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2548-2-0x0000000074B10000-0x00000000751FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2548-1-0x0000000000140000-0x000000000019E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/3020-10-0x0000000000B10000-0x0000000000B6E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/3020-30-0x0000000074B10000-0x00000000751FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3020-15-0x0000000074B10000-0x00000000751FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3020-12-0x0000000074B10000-0x00000000751FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3020-11-0x0000000074B10000-0x00000000751FE000-memory.dmp

    Filesize

    6.9MB

    Download