Overview

overview

10

Static

static

10

b64b141eb3...96.exe

windows7-x64

10

b64b141eb3...96.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    126s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 04:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96.exe

  • Size

    288KB

  • MD5

    d0d7ce7681200387de77c7ab2e2841cd

  • SHA1

    8b6c4315e260954b6c33f450ad3baa9f79fe72e2

  • SHA256

    b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96

  • SHA512

    bc3cfac3450cbc17ce8c9758f10c7e4034764f40a6797edd4a8eb6e95d6db9c5f46a46487a6e483ef0eed23243e9f92c0ea391a0416ebbc6854e2b9914ad9788

  • SSDEEP

    6144:w7zO0LSclT6FOwEP5Kq+SMv0VGb7bDcllbk9n:OlJtTF9zVGkllbkh

Score
10/10
quasarofficediscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office

C2

82.117.243.110:5173

Mutex

yfsS9ida0wX8mgpdJC

Attributes
  • encryption_key

    KDNBgA8jiBeGX1rj1dDt

  • install_name

    csrss.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    NET framework

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96.exe
    "C:\Users\Admin\AppData\Local\Temp\b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "NET framework" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\b64b141eb3b3fa67f6605eb99b0e6f78eb5df7d483a2a0889821ccfac71a7a96.exe" /rl HIGHEST /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2068-0-0x000000007494E000-0x000000007494F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2068-1-0x0000000000D80000-0x0000000000DCE000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2068-2-0x0000000074940000-0x000000007502E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2068-4-0x000000007494E000-0x000000007494F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2068-5-0x0000000074940000-0x000000007502E000-memory.dmp

    Filesize

    6.9MB

    Download