Overview

overview

10

Static

static

10

gtag quest...SS.exe

windows10-2004-x64

10

gtag quest...SS.exe

windows10-ltsc 2021-x64

10

gtag quest...SS.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    143s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    16-12-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gtag quest mod installer WIRELESS.exe

  • Size

    348KB

  • MD5

    6db96cd1cf57b9d20c877cd601ed8913

  • SHA1

    4b30134d786864dfddf2bd82b2d54852c255f569

  • SHA256

    f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

  • SHA512

    1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

  • SSDEEP

    6144:J80RJ5G8kXtl5EH2F3tlPvsjbbROawlkhQLaopOav2dw:CeG8kmHcvsNOawlkhQLaopO/dw

Score
10/10
quasarskibididiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

skibidi

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

86.170.82.234:4781

2a00:23c8:4d99:601:f150:3ac4:6899:28c7:4781
Mutex

QSR_MUTEX_NC3ofuVMHMxLqkQjQ7

Attributes
  • encryption_key

    2n8ltYdnR1KmKhFJpbSV

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows defender

  • subdirectory

    skibidi

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe
    "C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gtag quest mod installer WIRELESS.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2332
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4780
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:3396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jbv9qJZyrV1j.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:344
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3188
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4072
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4952
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YlvsULaXbyrz.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1920
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1900
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1068
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3692
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4876
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ct0V1U4JwtWc.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:3480
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:4156
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2636
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1892
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1584
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3692 -s 1204
                7⤵
                • Program crash
                PID:4340
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 2288
            5⤵
            • Program crash
            PID:3500
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 2036
        3⤵
        • Program crash
        PID:3108
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4780 -ip 4780
    1⤵
      PID:4976
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4072 -ip 4072
      1⤵
        PID:2136
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3692 -ip 3692
        1⤵
          PID:1552

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\skibidi\security2.exe
          Filesize

          348KB

          MD5

          6db96cd1cf57b9d20c877cd601ed8913

          SHA1

          4b30134d786864dfddf2bd82b2d54852c255f569

          SHA256

          f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

          SHA512

          1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Jbv9qJZyrV1j.bat
          Filesize

          203B

          MD5

          0720da7d2317371cc077add187078c74

          SHA1

          c353f81d76cce23c4e6f2fb76bf0cc75faa1ed0e

          SHA256

          588bdb1d4bc82301ae46215e6881d94bede5a68073f0d62b39cefbb408da8a98

          SHA512

          192af69e603cba1c201a3f4731f1c5137aa032801299eb3c2f4345e77e933ce265bd39766a377bf3f468624265928a71d13fa842568fb403230cfb830f034c3c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\YlvsULaXbyrz.bat
          Filesize

          203B

          MD5

          a4395a573677ad1aad43d4904025abcc

          SHA1

          910c8d1ddd7e18829e49823242a2d6e3a97963be

          SHA256

          8a85e4fb2f2f86ffc1c38f45cb99aac2b8289ef38f749382b4c430e0325f920b

          SHA512

          b3f19478f725710b60535304cdd7f5131e9cbfcef582eb18071f4860ab467b376367b8cd0562ee15700fe169a0ed52b64d7be756aa7f1e7d20842fe0d2b8f633

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\ct0V1U4JwtWc.bat
          Filesize

          203B

          MD5

          e2db14f5b2634d5a7bfa7a375a0f425d

          SHA1

          ed581748829445a7e4c824d3a19df18b40557860

          SHA256

          0647c71d40429768e87ea59879cd95c42f8d949e02a764dd2d762eacf46c54e7

          SHA512

          e4983f2523af7cc0c93f60d8ded842bcbef2c1f20989436c5abb0ead4746201bed5301a8b6419b277e4bb9e421bddce1385e9b68a741e4e80d6ab6201958915e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          f1fff06564d270ab0a379de40b73507c

          SHA1

          ef11585b97329507b0413a5b6b45e1295e85a261

          SHA256

          dbe05f6fb72e18c36852f39dd17b1f6730943b419780492d3a8a5b35ac5e31e1

          SHA512

          554f349fa16ff76a590756d993f21a2b258687a89e6b9e4a6269c514ddcda5741f2a3eb876baa0bcd7cef72a38394dc9d6323dcc76d1ae995846ec5a350e418d

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          a92bd760fae4e11df66f7c15e103ed21

          SHA1

          782eea61d545994ac009d19b3bbf54c2ae4d317a

          SHA256

          b51650b580e360b028363f43d872a8afcaa39ddc2fe2b030d7e83e80568368ee

          SHA512

          1cb8d8c828103acfa6483d74c17656c3026f2607b9ff50f90792b016055669d7c776b0d65227cb82c90866f96f218c061faabfb2be29c16e49f48bf459be5883

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          6a4905c6c1e8c1199ea5ed9e05c708c0

          SHA1

          69319c78e7a16f8fc37f55ec6aae5fb6363c6952

          SHA256

          19e145d634ba98b2164af37f1c8db0812cd2b2e0b30a416320d12778c811e288

          SHA512

          ba6b33fe8a1b8f7f3571abf433a3c164ebda2ecda8d1af0d9fe3034cf95692e029a8f1d729f65a71d760fecf0c0e487a6eb8779e532ec9727eac2610d48eaa2e

          Download Submit

        • memory/4780-18-0x0000000006070000-0x000000000607A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4780-24-0x0000000074D90000-0x0000000075541000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4780-14-0x0000000074D90000-0x0000000075541000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4780-19-0x0000000074D90000-0x0000000075541000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4780-16-0x0000000074D90000-0x0000000075541000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4928-5-0x00000000058B0000-0x0000000005916000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4928-15-0x0000000074D90000-0x0000000075541000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4928-7-0x0000000006AC0000-0x0000000006AFC000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4928-6-0x0000000005DB0000-0x0000000005DC2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4928-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4928-4-0x0000000074D90000-0x0000000075541000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4928-3-0x0000000005950000-0x00000000059E2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4928-2-0x0000000005E60000-0x0000000006406000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4928-1-0x0000000000D30000-0x0000000000D8E000-memory.dmp

          Filesize

          376KB

          Download