Overview

overview

10

Static

static

10

gtagquestm...SS.exe

windows7-x64

10

gtagquestm...SS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-12-2024 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gtagquestmodinstallerWIRELESS.exe

  • Size

    348KB

  • MD5

    6db96cd1cf57b9d20c877cd601ed8913

  • SHA1

    4b30134d786864dfddf2bd82b2d54852c255f569

  • SHA256

    f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

  • SHA512

    1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

  • SSDEEP

    6144:J80RJ5G8kXtl5EH2F3tlPvsjbbROawlkhQLaopOav2dw:CeG8kmHcvsNOawlkhQLaopO/dw

Score
10/10
quasarskibididiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

skibidi

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

86.170.82.234:4781

2a00:23c8:4d99:601:f150:3ac4:6899:28c7:4781
Mutex

QSR_MUTEX_NC3ofuVMHMxLqkQjQ7

Attributes
  • encryption_key

    2n8ltYdnR1KmKhFJpbSV

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows defender

  • subdirectory

    skibidi

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gtagquestmodinstallerWIRELESS.exe
    "C:\Users\Admin\AppData\Local\Temp\gtagquestmodinstallerWIRELESS.exe"
    1⤵
    • Quasar RAT
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2844
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gtagquestmodinstallerWIRELESS.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2780
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2616
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\Rs0tTu2uqdGT.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1476
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2656
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1028
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:568
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c ""C:\Users\Admin\AppData\Local\Temp\91o1wXwS7nCY.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:296
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:348
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2240
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2252
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:1640
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\Users\Admin\AppData\Local\Temp\kbQBDNf1tBnK.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1192
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:1436
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:1940
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1584
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:2696
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 1416
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:3024
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 1436
            5⤵
            • Loads dropped DLL
            • Program crash
            PID:832
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1448
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\91o1wXwS7nCY.bat
    Filesize

    203B

    MD5

    e6a7c609b3dd2f15a5027df62ec31f4c

    SHA1

    4f6b9d1d909403b8228d0a9e667dc8905e6486a4

    SHA256

    df03ce15df42dce1d4b0348cb8d0d80ad23d8d9b89eb18c1a43f1c0481dc7b60

    SHA512

    2f51670bfb0e0e32f2525290517503ba9c41fcc4cc50b75df17f1461d79434eb43fb47547cde00de035f85114ac7cf095e6481170e0f9d67770d46f9c9f16f85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Rs0tTu2uqdGT.bat
    Filesize

    203B

    MD5

    6dfd03bd4d1a304dcd4b2e8165c875db

    SHA1

    5dabdcd30f3499475d6fa609e2c50eab425b281b

    SHA256

    af279b592117304c63a502fdcb1ab60aea0343648546dd65e6cf41284301b40b

    SHA512

    4a61254ed1813602c490526ee3505e001cddd56cfb3aa192ebb10b2b76e6544bd746e518a62f9ef3c9ab1c7055eed9bd452b32212ffab1c88f1ab2af812c88e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\kbQBDNf1tBnK.bat
    Filesize

    203B

    MD5

    5732449fbf997ba211df1fece672b0a4

    SHA1

    787c2d9d1aaff4a8da01f85aca1bc9558b8486e9

    SHA256

    af2dfea6c88f2dc698fec61134ae84945fa3b03da896a05b1060ddb7f79b51af

    SHA512

    de84eea98513d5f861062db473ad957e37f3a98611a46755c11deeb9dcaeb7edd7142405160d2a4f0cbeac16ea8d65aacc1a303c434effc4f50d4f16d7b093a0

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
    Filesize

    224B

    MD5

    81a5470c9c1a6f3da2e09287bac6e536

    SHA1

    5b32963e84e6f042aeb2bf294f0bd141927a59f3

    SHA256

    9e1463fc0522912c9ca9e72f26d20621a377ad18e91310c3d24e20fb051a2dcd

    SHA512

    930a182bd5867058ae8b71ee6db9ae9593abdae4ce8b9f23f0ef2268729481ef3d13e015e4bdc23575ee4498cbf40186570eceb660bf803cdd1d876b73f80eba

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
    Filesize

    224B

    MD5

    77c2d698f8ee2faf488745733ea53468

    SHA1

    19227666cd6e970be69e811c53540d69b47e9c1b

    SHA256

    79acd91c24422d804ebe974d43f0e2ecc2a60ac85bfefe7505497db9bcf06c48

    SHA512

    e7d580cc8c8ac2ac727169516a162bcb6b3e1d095f4092f73bc3a29de6baa531a5dbcffaf5cb602b6e9a0703a6244ed7b1d6212a3188e5919c18fd6f9137c387

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
    Filesize

    224B

    MD5

    eeb2d94b7b13aaaff9e48234d969b623

    SHA1

    7a20247c1029b5ee5b7cfd502742b8bf05ce51ef

    SHA256

    60286ba812c9a5297d5cbc23e15f2b04ec98383a3a5a60cdaea8e9879bc3a6b0

    SHA512

    829479c0f74216aacd15b5e560748dc5f2262e6d73425911cf831a99878cdfdcc72e8525639987e4a8de547f21d6fa88d6881227f24180f9fd9658070794c87c

    Download Submit

  • \Program Files (x86)\skibidi\security2.exe
    Filesize

    348KB

    MD5

    6db96cd1cf57b9d20c877cd601ed8913

    SHA1

    4b30134d786864dfddf2bd82b2d54852c255f569

    SHA256

    f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

    SHA512

    1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

    Download Submit

  • memory/1028-32-0x0000000001300000-0x000000000135E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1584-68-0x00000000013D0000-0x000000000142E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2252-50-0x0000000001300000-0x000000000135E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2756-10-0x0000000000F30000-0x0000000000F8E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2756-30-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2756-15-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2756-11-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2756-12-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2844-13-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2844-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2844-2-0x0000000074BE0000-0x00000000752CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2844-1-0x0000000001310000-0x000000000136E000-memory.dmp

    Filesize

    376KB

    Download