Overview

overview

10

Static

static

10

gtag quest...SS.exe

windows10-2004-x64

10

gtag quest...SS.exe

windows10-ltsc 2021-x64

10

gtag quest...SS.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    144s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    16-12-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gtag quest mod installer WIRELESS.exe

  • Size

    348KB

  • MD5

    6db96cd1cf57b9d20c877cd601ed8913

  • SHA1

    4b30134d786864dfddf2bd82b2d54852c255f569

  • SHA256

    f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

  • SHA512

    1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

  • SSDEEP

    6144:J80RJ5G8kXtl5EH2F3tlPvsjbbROawlkhQLaopOav2dw:CeG8kmHcvsNOawlkhQLaopO/dw

Score
10/10
quasarskibididiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

skibidi

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

86.170.82.234:4781

2a00:23c8:4d99:601:f150:3ac4:6899:28c7:4781
Mutex

QSR_MUTEX_NC3ofuVMHMxLqkQjQ7

Attributes
  • encryption_key

    2n8ltYdnR1KmKhFJpbSV

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows defender

  • subdirectory

    skibidi

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe
    "C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe"
    1⤵
    • Quasar RAT
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1536
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2212
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3064
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4664
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bUTgh2wOPWhA.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5060
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2308
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2240
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:764
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\no5UQBgcP48K.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5088
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:732
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1344
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:5056
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1844
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\w0DGNviJYoFM.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4344
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2044
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2648
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:4048
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:220
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 2228
                7⤵
                • Program crash
                PID:3140
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1692
            5⤵
            • Program crash
            PID:2192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 2268
        3⤵
        • Program crash
        PID:4996
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3064 -ip 3064
    1⤵
      PID:4448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1672 -ip 1672
      1⤵
        PID:1776
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5056 -ip 5056
        1⤵
          PID:2100

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\skibidi\security2.exe
          Filesize

          348KB

          MD5

          6db96cd1cf57b9d20c877cd601ed8913

          SHA1

          4b30134d786864dfddf2bd82b2d54852c255f569

          SHA256

          f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

          SHA512

          1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\bUTgh2wOPWhA.bat
          Filesize

          203B

          MD5

          adb7dc64d33a266c9e0c58a47d344159

          SHA1

          144312d016bc71afb1625737ee2bbbe7bc1b31f5

          SHA256

          f05e230bad1e002f1ca38f02dc2eae6047124aa2688f4a6a3f2cf69b72e222b8

          SHA512

          88ee56c219bec99897ec5d64cd7f0e7a78b1305c70a2a6744f758bca2fbd54e23589a4f8fc60fe66d42175339b67b80803084f865f39d6670e28e0c421c833f7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\no5UQBgcP48K.bat
          Filesize

          203B

          MD5

          d10819677291059ac9b2d9e01061bc8d

          SHA1

          1970759e6107fbeedfabdbd66413470bbbd7827a

          SHA256

          46789cd1650059554ed2618f5b5e6199e27909a12153c30aaf3dc1964d5d82da

          SHA512

          bc83e659c83d56de793198f29fe4e25a0256f498fec3b42b59043877670cf8bf9529a5b38cc91bda0805af82e600e5a9499e2faa446cbae3147b5eb609c54532

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\w0DGNviJYoFM.bat
          Filesize

          203B

          MD5

          047a5267f2a1720b8f8e2a29b30277e7

          SHA1

          50bec64d1dcba95b87918620f7fb2c9cf671abd4

          SHA256

          4946fdb7af44c03f14f986664ac7dd96c863e37267d0c2c41bfd80b7a7c56a03

          SHA512

          31f7bd5a28eb8f7a2e485186b84b2a449a0b192d14de3f3d06dc0693471347aad1ca104d9cace1d3d05a8aaefc5aae3fb0f03a40054db6ff7765c8d5e58040d1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          4c125097db5502a6044eca548a69c1fd

          SHA1

          94eab7b989f31cc17c91829ca5c0ad92dbf72e45

          SHA256

          fda9319f0b2cf84afda442d56c661ac19c25ecbbf3c28e18147b01e2353fde22

          SHA512

          282bca973cba31bf33b4f2c8fb801f491655826c3fd713bc9adda95764b1b2bb62f97adf9521d4bc0ba29b56c60a6b5e64cf8333c5a489476f7c192ce68af1cd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          e66b5dbf4dd855cac78d1ff20489b57a

          SHA1

          1cbb37d93b611dc62b64d02a200bcf62168d330e

          SHA256

          cfe4ee10d8892eb71301b5c02e3897a0d6d77486fbb61cc951e9645785999a70

          SHA512

          bda02abc515c61123ff5185b0bb799b89202aea3db7d7d472aa6b7cb1466ad835d2a6a08f07a0277a5eeae0096e663a10393c841ba851cb0f77c8edcc0f21be1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          ffebc2d8dfd82da86d457f71200cf144

          SHA1

          3f9a2e61b20696dacf2dc2018904a59bc5ad26e5

          SHA256

          11e16db8f84c33e30a79aacd67e7c258601aa7181483a7f406e7d5f3a1bec3d7

          SHA512

          106719229f743ccb0815fb2db48d0e7a7d72fc6979dc5bf3b98369e7ab9e1c9910142cef6db0991f6447d9b712116638af28361e14c8417b2c8cf4cb5793c4fd

          Download Submit

        • memory/1536-4-0x0000000074AD0000-0x0000000075281000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1536-5-0x0000000005650000-0x00000000056B6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1536-6-0x0000000005BC0000-0x0000000005BD2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1536-7-0x00000000067B0000-0x00000000067EC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/1536-3-0x0000000005560000-0x00000000055F2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1536-10-0x0000000074AD0000-0x0000000075281000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1536-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1536-2-0x0000000005C00000-0x00000000061A6000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1536-1-0x0000000000C50000-0x0000000000CAE000-memory.dmp

          Filesize

          376KB

          Download

        • memory/3064-11-0x0000000074AD0000-0x0000000075281000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3064-23-0x0000000074AD0000-0x0000000075281000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3064-15-0x0000000074AD0000-0x0000000075281000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3064-14-0x0000000006A90000-0x0000000006A9A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3064-12-0x0000000074AD0000-0x0000000075281000-memory.dmp

          Filesize

          7.7MB

          Download