Overview

overview

10

Static

static

10

gtagquestm...SS.exe

windows7-x64

10

gtagquestm...SS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 20:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    gtagquestmodinstallerWIRELESS.exe

  • Size

    348KB

  • MD5

    6db96cd1cf57b9d20c877cd601ed8913

  • SHA1

    4b30134d786864dfddf2bd82b2d54852c255f569

  • SHA256

    f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

  • SHA512

    1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

  • SSDEEP

    6144:J80RJ5G8kXtl5EH2F3tlPvsjbbROawlkhQLaopOav2dw:CeG8kmHcvsNOawlkhQLaopO/dw

Score
10/10
quasarskibididiscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

skibidi

C2

localhost:4781

192.168.1.159:4781

skibiditoilet.hopto.org:4781

86.175.70.140:4781

86.170.82.234:4781

2a00:23c8:4d99:601:f150:3ac4:6899:28c7:4781
Mutex

QSR_MUTEX_NC3ofuVMHMxLqkQjQ7

Attributes
  • encryption_key

    2n8ltYdnR1KmKhFJpbSV

  • install_name

    security2.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    windows defender

  • subdirectory

    skibidi

Signatures

  • Quasar RAT 3 IoCs

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 5 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\gtagquestmodinstallerWIRELESS.exe
    "C:\Users\Admin\AppData\Local\Temp\gtagquestmodinstallerWIRELESS.exe"
    1⤵
    • Quasar RAT
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\gtagquestmodinstallerWIRELESS.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2836
    • C:\Program Files (x86)\skibidi\security2.exe
      "C:\Program Files (x86)\skibidi\security2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4548
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\95tluhMfnRMl.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4524
        • C:\Windows\SysWOW64\chcp.com
          chcp 65001
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1368
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 10 localhost
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2240
        • C:\Program Files (x86)\skibidi\security2.exe
          "C:\Program Files (x86)\skibidi\security2.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:860
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uXbh0cpjfHvn.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3620
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1092
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:440
            • C:\Program Files (x86)\skibidi\security2.exe
              "C:\Program Files (x86)\skibidi\security2.exe"
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3988
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4596
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heMAUEqgr4mU.bat" "
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:4512
                • C:\Windows\SysWOW64\chcp.com
                  chcp 65001
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2020
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 10 localhost
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2860
                • C:\Program Files (x86)\skibidi\security2.exe
                  "C:\Program Files (x86)\skibidi\security2.exe"
                  8⤵
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3772
                  • C:\Windows\SysWOW64\schtasks.exe
                    "schtasks" /create /tn "windows defender" /sc ONLOGON /tr "C:\Program Files (x86)\skibidi\security2.exe" /rl HIGHEST /f
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Scheduled Task/Job: Scheduled Task
                    PID:1104
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 2236
                7⤵
                • Program crash
                PID:4852
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 2232
            5⤵
            • Program crash
            PID:512
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1992
        3⤵
        • Program crash
        PID:852
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4548 -ip 4548
    1⤵
      PID:3156
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1592 -ip 1592
      1⤵
        PID:1156
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3988 -ip 3988
        1⤵
          PID:2328

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\skibidi\security2.exe
          Filesize

          348KB

          MD5

          6db96cd1cf57b9d20c877cd601ed8913

          SHA1

          4b30134d786864dfddf2bd82b2d54852c255f569

          SHA256

          f525a612bddb1ca64c4a3d0ab110f88ba79eabde6dd6b269819ceda5f02cd615

          SHA512

          1a851d1ef6cce70a4278318a0355bf0e4ff243b091a4d7ee914d1978e8c09c40f8b3ade0cf9b2394c341f01d8238c496558c079507c6318f1b668dd9299de781

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\95tluhMfnRMl.bat
          Filesize

          203B

          MD5

          fba1840db2bbed831bcce84d07a4aed6

          SHA1

          4660239f3e21e0ab4119c7a9b24c557749ef2d92

          SHA256

          4191d6702ea1525ac8b12605f404792f069a934d1fcbb1c8d1a8f4ee03ed158d

          SHA512

          6a627fba000eb026d66c658399e469143facd7e513cd14e32fb99e8f5b88bc166477686e924ab23e8a7d3410eafd588dd35db4f59f75cacd4e2597b648888b85

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\heMAUEqgr4mU.bat
          Filesize

          203B

          MD5

          6bbb527db9752024f0e6fb6b8c647ee7

          SHA1

          ab950aae8d8bc937939cdbdb9eb24f1380fcb2e6

          SHA256

          c9e3e1a092c5892425f460101913c420677b01cd42b883a0f266e077154d5cfe

          SHA512

          bbb684585355a4fc9b97d83e78e10d4468ac2866f0794854faae0b08621eb26120c331d61cdbd3441e1f31f5fe5b14fc344d43448eacfa3f1427759dbee014a7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\uXbh0cpjfHvn.bat
          Filesize

          203B

          MD5

          173d5e256f2ca395c0ff1fde3c1d1488

          SHA1

          0b0de5bb286d1bbc5c04fbac9fe84502838f90bd

          SHA256

          79459b57264ade66707ac6423caa9d512d80ba01247801264bae44808e3bbec0

          SHA512

          e7d8095d6f9ca25683a537f1d4f5f9fb752914f285a23368733b597f95778a43db1012a068cb21108b5be63eeec6df86ee799112259faa10ccc1dbaecebb873f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          8ba04750c0f28ebde53f9d741c528467

          SHA1

          8e7868acbbafe69df71660e43630283b33597441

          SHA256

          e24809477433020e907d3e26465d1c9118d4c25d4d265df83a5590eed60a144d

          SHA512

          5d15d4b4dd17ae77ca2187582ed4937cc20a01a180cb4b7375260e1b6432ad47e307a8a17ddebddf972c2fe5ff42bae12756677160647732d2c64a9dfc3eded2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          f589c785af6907d391e15fa3fe6a11a7

          SHA1

          9d11e292fb8428698df6c38564a5d237023ca0ce

          SHA256

          1e435384b357d5c0ca87ce23e3ef97993b1197349fefd7aa798966f84509044c

          SHA512

          52339805bdecb6dc16f9eac3b8a95b6bfd012c932ed7b547fadd7d333f2d7fe5822e9a42e02ccacdabccbf07f360fb378cafe7b272b1845c392308783a71eaea

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Logs\12-16-2024
          Filesize

          224B

          MD5

          132a03887b286333b7771eafcbbd74d1

          SHA1

          2d2cad16b756cead17f3663c54354630331fe43b

          SHA256

          3968411c68c741b8c6f448b1fee6a1c99849f238876e61d12475dcbf11da06b1

          SHA512

          9e4cce41e43dae647f52eb643e2551bdde6694fab20e306805562be3354ffdb0f36e7e8846af76f0b04efaeb955770e6251e4868d80b4720f22165cbfb0fae19

          Download Submit

        • memory/4548-18-0x0000000006C50000-0x0000000006C5A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4548-24-0x0000000075430000-0x0000000075BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4548-14-0x0000000075430000-0x0000000075BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4548-19-0x0000000075430000-0x0000000075BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4548-16-0x0000000075430000-0x0000000075BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4692-5-0x0000000004E60000-0x0000000004EC6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/4692-15-0x0000000075430000-0x0000000075BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4692-7-0x0000000005FD0000-0x000000000600C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/4692-6-0x0000000005A90000-0x0000000005AA2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4692-0-0x000000007543E000-0x000000007543F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4692-4-0x0000000075430000-0x0000000075BE0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4692-3-0x0000000004D80000-0x0000000004E12000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4692-2-0x0000000005260000-0x0000000005804000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4692-1-0x0000000000310000-0x000000000036E000-memory.dmp

          Filesize

          376KB

          Download