Overview

overview

10

Static

static

10

gtag quest...SS.exe

windows10-2004-x64

10

gtag quest...SS.exe

windows10-ltsc 2021-x64

10

gtag quest...SS.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gtag quest mod installer WIRELESS.exe

  • Size

    348KB

  • MD5

    6db96cd1cf57b9d20c877cd601ed8913

  • SHA1

    4b30134d786864dfddf2bd82b2d54852c255f569

  • SHA256

    f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

  • SHA512

    1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

  • SSDEEP

    6144:J80RJ5G8kXtl5EH2F3tlPvsjbbROawlkhQLaopOav2dw:CeG8kmHcvsNOawlkhQLaopO/dw

Score
10/10
quasarskibididiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

skibidi

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

86.170.82.234:4781

2a00:23c8:4d99:601:f150:3ac4:6899:28c7:4781
Mutex

QSR_MUTEX_NC3ofuVMHMxLqkQjQ7

Attributes
  • encryption_key

    2n8ltYdnR1KmKhFJpbSV

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows defender

  • subdirectory

    skibidi

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe
    "C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe"
    1⤵
    • Quasar RAT
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3540
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4688
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EFBTNJdA7Gih.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4172
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3720
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:452
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:5016
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HvLgm6uT3EEu.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1300
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2900
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4748
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3660
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4816
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aizGxkEdKSHE.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2620
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:232
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2040
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3516
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:3768
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 2236
                7⤵
                • Program crash
                PID:4716
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 2240
            5⤵
            • Program crash
            PID:3236
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 1988
        3⤵
        • Program crash
        PID:4528
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4800 -ip 4800
    1⤵
      PID:2772
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 452 -ip 452
      1⤵
        PID:2764
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3660 -ip 3660
        1⤵
          PID:4108

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\skibidi\security2.exe
          Filesize

          348KB

          MD5

          6db96cd1cf57b9d20c877cd601ed8913

          SHA1

          4b30134d786864dfddf2bd82b2d54852c255f569

          SHA256

          f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

          SHA512

          1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\EFBTNJdA7Gih.bat
          Filesize

          203B

          MD5

          b8133ff1c10bc2e9cc0c1098db4b61f7

          SHA1

          1e27718fdeaecd74938e4f3017029063dce83381

          SHA256

          5d9decec8e484b5f5d6813ca1a738c41f58bb8841e9e2ea2552b4dddf43076af

          SHA512

          cf4dc1384c262bd231217ea91b4202dfa1da1a1ba9149b9b022c17f99bab633cd0c03392b57b71c4654c745ac9208fdbb478dbce192fd6cecd5ddc7ad0f19492

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HvLgm6uT3EEu.bat
          Filesize

          203B

          MD5

          a65db0840d7c7b13bfe618450e7f4d95

          SHA1

          bcdd742e74f52dc22feb98a58e8456e7f805d84a

          SHA256

          a7ed21912ba6280046368fd2ff6580e3f4e4f83b6f1227cfc6e9f0834b3c6978

          SHA512

          7decde4a61b5a5a3d2342e2f9c4e5fe5e72a2bba2e90f0e72f1da09dea54163714a187aa44d52e2057aed82910fcf35ee988dccdcc0716525fbdd1f5dd25df91

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aizGxkEdKSHE.bat
          Filesize

          203B

          MD5

          fb0c892cf40c63e1c41ceb063ad5f1aa

          SHA1

          fd5f9539824cd73a47f0ce5e6f85dd9f3a8f705e

          SHA256

          a72f01f5b2c3a8875c7cd5cd5ed787f6a66ed4c77a1dfce44d1b1c1d3730354a

          SHA512

          27a28622251b923853140e1df5547f3ad094299d073830eb2d7b7d76471987c267f5f3da85a1cfb380a8bb2bf4672c8b0e41178d198b95f1d21c0e13c4dc817c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          1611977200c9b9e6ca06b336da860810

          SHA1

          6b72ec521fe5d00e34ae04b14d9cfed327b84179

          SHA256

          f38da96c2ce242c1c93bc2dbf3decd16f6a14a1a27e8c1c75e61fd2da7ecb939

          SHA512

          b85b5276a02df7b2beb2b80f448eb2b217ff62f8f28c2759881afe13934975b77f8abdcfaf003b50add59ced3fd77dad7d8028d5468c8e4d871b84b2ac4c87cf

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          1976a693854137ded5cd8eeae5224d8e

          SHA1

          4588d237d56a6c7ee3b12517632705daf2ce8bce

          SHA256

          cd0a17b2f70125d12cc06f3f204e9274409872afc46b835c237c53fd5ca22136

          SHA512

          9bcdc6588c427ac3867427899c49227b0d32ce8250f4de7c4c0d13e0bb71bdf1a6aed5b8d976913e8275d07cda1b7b4c2f0ecaf73189e2772a3d2f1f13b9026b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          f57f30c1edb94c7d7b29176f005d740d

          SHA1

          574e6db92ea59976562fb9507a5d0aaf6df76935

          SHA256

          3c1e84535983d763cad039aa8e8c0b01fd685cf20a3d43aa7b360e13a6efe2cd

          SHA512

          b18c7e551b771f22bf3c1509b7405dc9584a3ef427824110d67876703a92cba3926eca0edce65f6ddfa8ed2f8eca2a1201fe3ad78152a8fb74d610040d9f8c46

          Download Submit

        • memory/4668-4-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4668-5-0x0000000005150000-0x00000000051B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4668-6-0x0000000005D70000-0x0000000005D82000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4668-7-0x00000000062B0000-0x00000000062EC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4668-3-0x00000000050B0000-0x0000000005142000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4668-14-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4668-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4668-2-0x0000000005660000-0x0000000005C04000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4668-1-0x0000000000730000-0x000000000078E000-memory.dmp

          Filesize

          376KB

          Download

        • memory/4800-15-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4800-24-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4800-19-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4800-18-0x0000000006150000-0x000000000615A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4800-16-0x0000000074A00000-0x00000000751B0000-memory.dmp

          Filesize

          7.7MB

          Download