Overview

overview

10

Static

static

10

bannas.exe

windows7-x64

10

bannas.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2024 20:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bannas.exe

  • Size

    348KB

  • MD5

    7500a9269a35b159e854312282732728

  • SHA1

    5b3d03a59af9e662f84fb2ab113e6275a9d502af

  • SHA256

    8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9

  • SHA512

    3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f

  • SSDEEP

    6144:wk+zrEsiN1PDA3COn7bblr71T2fJYUzsgNkd:dxsiNczZsf2UzXkd

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781
Mutex

QSR_MUTEX_86QM62MaEKfEyd8OVt

Attributes
  • encryption_key

    zZvCiezIyCBIqqTBUeKo

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    security2

  • subdirectory

    skibidi

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bannas.exe
    "C:\Users\Admin\AppData\Local\Temp\bannas.exe"
    1⤵
    • Quasar RAT
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\bannas.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3188
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1176
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6KagUz6CyTAZ.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1548
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1488
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1264
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3676
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:3640
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\inbv7rQ4jnKT.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5104
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4044
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1068
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3628
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2516
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UPDZoHpwDcHF.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:860
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:3460
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2204
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3652
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "security2" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:4060
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 1208
                7⤵
                • Program crash
                PID:4548
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 2212
            5⤵
            • Program crash
            PID:184
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4636 -s 1084
        3⤵
        • Program crash
        PID:3448
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4636 -ip 4636
    1⤵
      PID:4032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3676 -ip 3676
      1⤵
        PID:3828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3628 -ip 3628
        1⤵
          PID:2624

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\skibidi\security2.exe
          Filesize

          348KB

          MD5

          7500a9269a35b159e854312282732728

          SHA1

          5b3d03a59af9e662f84fb2ab113e6275a9d502af

          SHA256

          8b776eb44e02df10fec47058feac9cc18d0f169370ebf7cbd9f0f0b7b66c99f9

          SHA512

          3d46a5cec0dfc5b14381e21c096d0a9d094e6971629eada7fa4a3ddac7ac2192ff69c1c73b627447092d6589caab350fea14235cfbb380a364dba14969a7487f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\6KagUz6CyTAZ.bat
          Filesize

          203B

          MD5

          a41f7127e4d305ac32086fe6728783ff

          SHA1

          f70298f68c507ba4f2b53d5d67c48e4f6a52898f

          SHA256

          ee736e4e4fb2788c06e403de3b0e9b181bcba3e0c7eb827530f8f988da1863aa

          SHA512

          6f05617fb66df3422e24e15cc921906dc0162dec3b29147a3d7c3c40bf0fd36c72d75cbe2fe365ec4b0544f54684ecc38f87d87a85cee892ee1a6b28637f87e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\UPDZoHpwDcHF.bat
          Filesize

          203B

          MD5

          d2924114d7f6c2fdfa9b89009b4a3417

          SHA1

          d1d3dfd33eabf3b010be50930d7865eb946f01db

          SHA256

          2adf08afb679adfa3a518730b5d9373d59e11adb7eb20c9bb2ac2aa4763d424c

          SHA512

          9c18333ff1d73a1f6b24d56877bebd26979f5a50120336f3f4bff4570c53ccefeb01b67bc3ca0597aa96af0abad96ff46410b1f638ed5dc2212d0033bddf0520

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\inbv7rQ4jnKT.bat
          Filesize

          203B

          MD5

          0c92f5502fe456497667d9fc21632ec0

          SHA1

          f6a2a9954448fa4b4a7b038e8233007523e4a21e

          SHA256

          d3e320d204b2ee6b5378c8d403c7daccab2896ab7aad6f5233ee77d8643afe28

          SHA512

          f4fa01e30d90469cbde8cd05712dc00300da57bbad4eb839e2d56439b9851ac20e62056672da143d33a7eb13745a297c278ffe8b5ba75de32f72a5dcf76c1467

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-14-2024
          Filesize

          224B

          MD5

          0d4663350b10d8eaa1323f83da79beb2

          SHA1

          b52b94481dcb36ed3aa245cbdef8eaa81e94b125

          SHA256

          c06d43a58b60014ddbffb37ec9ef9da450c255c6d679628db908325a20725899

          SHA512

          eff800a75fff4c9b61348590adbdccfa9457eee87ae3802b16927b1907248fcc159dc62d80fddd4a4dd2c328f1d3e1d04ef331e3f2445fe60c03c4a7aafcc761

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-14-2024
          Filesize

          224B

          MD5

          e5376ccdab13b300093f58c05f358412

          SHA1

          22c09f7318d5b7eaa8ca562793ec2de4368eaf1c

          SHA256

          934ad2537ea374f2f37122f92aea072ee2a9842d6b3149e5445bee1cd87cef4f

          SHA512

          2a36a411f664b51af8a300f990ede5521e350a1ba4fbc9b89a4817001e8031338f9e8a776a33bcf216f7dc917cb904fc2d57335611d23cea11112d96f886f571

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-14-2024
          Filesize

          224B

          MD5

          60bfcb6a429376e58a9ea14567953669

          SHA1

          7fe4287b2e8093f5e2be3884c70d844daf826db8

          SHA256

          fe6aafde62fbeae1b26b584d2895da959f3febf73696a84794034b0fb60c7b61

          SHA512

          5da1e7c50adecb25174f872096c789186b632049a17997317772c2fb4a90e28bbd73fe6aa01ee3d3e72923c051f90147ddb6dcf7a60c1c628cb935dd18224a96

          Download Submit

        • memory/3660-6-0x0000000005AC0000-0x0000000005AD2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3660-2-0x00000000051D0000-0x0000000005774000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3660-14-0x00000000745B0000-0x0000000074D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3660-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3660-7-0x0000000006000000-0x000000000603C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3660-3-0x0000000004D00000-0x0000000004D92000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3660-5-0x0000000004DA0000-0x0000000004E06000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3660-1-0x0000000000350000-0x00000000003AE000-memory.dmp

          Filesize

          376KB

          Download

        • memory/3660-4-0x00000000745B0000-0x0000000074D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4636-15-0x00000000745B0000-0x0000000074D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4636-24-0x00000000745B0000-0x0000000074D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4636-19-0x00000000745B0000-0x0000000074D60000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4636-18-0x00000000061F0000-0x00000000061FA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4636-16-0x00000000745B0000-0x0000000074D60000-memory.dmp

          Filesize

          7.7MB

          Download