Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-12-2024 11:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    d71b9f864361e49d0274c9e18b877093

  • SHA1

    eb621f94801e47c5e1ec03944d020f3a98c446d0

  • SHA256

    5f7be136679475aeabac1742ed75b13a3a6019a1e26efc07ceb199c5ad016b90

  • SHA512

    1b535c8b7ed061f035c82d95e91c1ddc7386da4d1d8b7c0d01e55b8f2acd403a9f60ae40e0c5444ce7aea50b029035a8a4c62654e819d98f690bfd7dab9bc02b

  • SSDEEP

    49152:mvOY52fyaSZOrPWluWBuGG5g5hx7n8LioGd1CTHHB72eh2NT:mvT52fyaSZOrPWluWBDG5g5hx7ntF

Score
10/10
quasartestspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

test

C2

192.168.1.35:4782

Mutex

lol

Attributes
  • encryption_key

    BA1AB307B42098FBECD193797E23C0F236DEF7E9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    sigma

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Roaming\sigma\Client.exe
      "C:\Users\Admin\AppData\Roaming\sigma\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:936

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\sigma\Client.exe
    Filesize

    3.1MB

    MD5

    d71b9f864361e49d0274c9e18b877093

    SHA1

    eb621f94801e47c5e1ec03944d020f3a98c446d0

    SHA256

    5f7be136679475aeabac1742ed75b13a3a6019a1e26efc07ceb199c5ad016b90

    SHA512

    1b535c8b7ed061f035c82d95e91c1ddc7386da4d1d8b7c0d01e55b8f2acd403a9f60ae40e0c5444ce7aea50b029035a8a4c62654e819d98f690bfd7dab9bc02b

    Download Submit

  • memory/936-9-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/936-10-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/936-11-0x000000001C360000-0x000000001C3B0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/936-12-0x000000001C470000-0x000000001C522000-memory.dmp

    Filesize

    712KB

    Download

  • memory/936-13-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1620-0-0x00007FFFF8853000-0x00007FFFF8855000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1620-1-0x0000000000BF0000-0x0000000000F14000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1620-2-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1620-8-0x00007FFFF8850000-0x00007FFFF9311000-memory.dmp

    Filesize

    10.8MB

    Download