Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-12-2024 06:44

General

  • Target

    local.exe

  • Size

    3.1MB

  • MD5

    ef27ef58c0f84cbcbbc4655dedbf4de0

  • SHA1

    2d22660414046a0ed5f9ce19e0aa64fb1942b335

  • SHA256

    dc4e60715160d270d5b34204c0ef1f947a94d71eccc4b01111bfce0af6debf3b

  • SHA512

    f703ca5c85d10ae8fc5d5ddc259d034df3845f20a8709eab3eea54fe99d7fec5866cfa406c8d0c1bb475ef00cc4aecbba6b963ab510938a9a768811b11083d9b

  • SSDEEP

    49152:rvDI22SsaNYfdPBldt698dBcjHJwRJ6/bR3LoGdkTHHB72eh2NT:rv822SsaNYfdPBldt6+dBcjHJwRJ6R

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.1.74:4782

Mutex

b4ad83f8-b608-477d-8395-2274bcaab6d1

Attributes
  • encryption_key

    62EF51244AF3535A6A9C77206CD89D5BFECD7E4E

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\local.exe
    "C:\Users\Admin\AppData\Local\Temp\local.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

    Filesize

    3.1MB

    MD5

    ef27ef58c0f84cbcbbc4655dedbf4de0

    SHA1

    2d22660414046a0ed5f9ce19e0aa64fb1942b335

    SHA256

    dc4e60715160d270d5b34204c0ef1f947a94d71eccc4b01111bfce0af6debf3b

    SHA512

    f703ca5c85d10ae8fc5d5ddc259d034df3845f20a8709eab3eea54fe99d7fec5866cfa406c8d0c1bb475ef00cc4aecbba6b963ab510938a9a768811b11083d9b

  • memory/656-9-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

  • memory/656-10-0x0000000001230000-0x0000000001554000-memory.dmp

    Filesize

    3.1MB

  • memory/656-11-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

  • memory/656-12-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

  • memory/2516-0-0x000007FEF5DE3000-0x000007FEF5DE4000-memory.dmp

    Filesize

    4KB

  • memory/2516-1-0x0000000000070000-0x0000000000394000-memory.dmp

    Filesize

    3.1MB

  • memory/2516-2-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB

  • memory/2516-8-0x000007FEF5DE0000-0x000007FEF67CC000-memory.dmp

    Filesize

    9.9MB