Analysis

  • max time kernel
    91s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 11:34

General

  • Target

    2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe

  • Size

    85.2MB

  • MD5

    207d3610cb4305546ae3730c433cec24

  • SHA1

    dbaa88cff0954154133da02cfe8945660fed53f7

  • SHA256

    2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0

  • SHA512

    0f803879d9feba1053b9a4306d62a9c9175cc0e96bf90dfa10cae8f909925a735e35d46d8bef44bd8a3a657dd27634d65cee3dcdc6400540d9819a09f394edf5

  • SSDEEP

    393216:54TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2o:5KRVQxhu0P8Lq1LEvxOOx5Sba

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

NEURO

C2

51.15.17.193:4782

Mutex

1f6c9ecc-c030-43a4-bbf2-21326400cbb5

Attributes
  • encryption_key

    97599F6E5D14A784CC4DD36B18A277119042FDA8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

    Abuse Regasm to proxy execution of malicious code.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
    "C:\Users\Admin\AppData\Local\Temp\2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe"
    1⤵
    • System Binary Proxy Execution: Regsvcs/Regasm
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4488
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
        3⤵
          PID:2032
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -noprofile -
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\224roxre\224roxre.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1872
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC870.tmp" "c:\Users\Admin\AppData\Local\Temp\224roxre\CSC6B2D58CED1B24907A471F863E6FA48B9.TMP"
              5⤵
                PID:2912
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
          2⤵
          • System Binary Proxy Execution: Regsvcs/Regasm
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
            C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2120
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\Neurocoin.exe"
          2⤵
            PID:3480

        Network

        • flag-us
          DNS
          8.8.8.8.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          8.8.8.8.in-addr.arpa
          IN PTR
          Response
          8.8.8.8.in-addr.arpa
          IN PTR
          dnsgoogle
        • flag-us
          DNS
          149.220.183.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          149.220.183.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.214.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.214.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          95.221.229.192.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          95.221.229.192.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          69.31.126.40.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          69.31.126.40.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          glonas.am
          2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
          Remote address:
          8.8.8.8:53
          Request
          glonas.am
          IN A
          Response
          glonas.am
          IN A
          104.21.78.102
          glonas.am
          IN A
          172.67.220.55
        • flag-us
          DNS
          102.78.21.104.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          102.78.21.104.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          ipwho.is
          RegAsm.exe
          Remote address:
          8.8.8.8:53
          Request
          ipwho.is
          IN A
          Response
          ipwho.is
          IN A
          195.201.57.90
        • flag-de
          GET
          https://ipwho.is/
          RegAsm.exe
          Remote address:
          195.201.57.90:443
          Request
          GET / HTTP/1.1
          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
          Host: ipwho.is
          Connection: Keep-Alive
          Response
          HTTP/1.1 200 OK
          Date: Thu, 19 Dec 2024 11:34:38 GMT
          Content-Type: application/json; charset=utf-8
          Transfer-Encoding: chunked
          Connection: keep-alive
          Server: ipwhois
          Access-Control-Allow-Headers: *
          X-Robots-Tag: noindex
        • flag-us
          DNS
          193.17.15.51.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          193.17.15.51.in-addr.arpa
          IN PTR
          Response
          193.17.15.51.in-addr.arpa
          IN PTR
          51-15-17-193rev poneytelecomeu
        • flag-us
          DNS
          90.57.201.195.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          90.57.201.195.in-addr.arpa
          IN PTR
          Response
          90.57.201.195.in-addr.arpa
          IN PTR
          static9057201195clients your-serverde
        • flag-us
          DNS
          28.118.140.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          28.118.140.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          209.205.72.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          209.205.72.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          212.20.149.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          212.20.149.52.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          171.39.242.20.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          171.39.242.20.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          172.210.232.199.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          172.210.232.199.in-addr.arpa
          IN PTR
          Response
        • flag-us
          DNS
          29.243.111.52.in-addr.arpa
          Remote address:
          8.8.8.8:53
          Request
          29.243.111.52.in-addr.arpa
          IN PTR
          Response
        • 104.21.78.102:443
          glonas.am
          tls
          2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
          1.2kB
          4.5kB
          13
          13
        • 51.15.17.193:4782
          tls
          RegAsm.exe
          2.0kB
          2.9kB
          20
          17
        • 195.201.57.90:443
          https://ipwho.is/
          tls, http
          RegAsm.exe
          923 B
          6.3kB
          10
          10

          HTTP Request

          GET https://ipwho.is/

          HTTP Response

          200
        • 8.8.8.8:53
          8.8.8.8.in-addr.arpa
          dns
          66 B
          90 B
          1
          1

          DNS Request

          8.8.8.8.in-addr.arpa

        • 8.8.8.8:53
          149.220.183.52.in-addr.arpa
          dns
          73 B
          147 B
          1
          1

          DNS Request

          149.220.183.52.in-addr.arpa

        • 8.8.8.8:53
          172.214.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.214.232.199.in-addr.arpa

        • 8.8.8.8:53
          95.221.229.192.in-addr.arpa
          dns
          73 B
          144 B
          1
          1

          DNS Request

          95.221.229.192.in-addr.arpa

        • 8.8.8.8:53
          69.31.126.40.in-addr.arpa
          dns
          71 B
          157 B
          1
          1

          DNS Request

          69.31.126.40.in-addr.arpa

        • 8.8.8.8:53
          glonas.am
          dns
          2956ab71f5360eec21fef2b485e59c91705b043c08e5ec26a6b2122f6f80a9d0.exe
          55 B
          87 B
          1
          1

          DNS Request

          glonas.am

          DNS Response

          104.21.78.102
          172.67.220.55

        • 8.8.8.8:53
          102.78.21.104.in-addr.arpa
          dns
          72 B
          134 B
          1
          1

          DNS Request

          102.78.21.104.in-addr.arpa

        • 8.8.8.8:53
          ipwho.is
          dns
          RegAsm.exe
          54 B
          70 B
          1
          1

          DNS Request

          ipwho.is

          DNS Response

          195.201.57.90

        • 8.8.8.8:53
          193.17.15.51.in-addr.arpa
          dns
          71 B
          117 B
          1
          1

          DNS Request

          193.17.15.51.in-addr.arpa

        • 8.8.8.8:53
          90.57.201.195.in-addr.arpa
          dns
          72 B
          129 B
          1
          1

          DNS Request

          90.57.201.195.in-addr.arpa

        • 8.8.8.8:53
          28.118.140.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          28.118.140.52.in-addr.arpa

        • 8.8.8.8:53
          209.205.72.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          209.205.72.20.in-addr.arpa

        • 8.8.8.8:53
          212.20.149.52.in-addr.arpa
          dns
          72 B
          146 B
          1
          1

          DNS Request

          212.20.149.52.in-addr.arpa

        • 8.8.8.8:53
          171.39.242.20.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          171.39.242.20.in-addr.arpa

        • 8.8.8.8:53
          172.210.232.199.in-addr.arpa
          dns
          74 B
          128 B
          1
          1

          DNS Request

          172.210.232.199.in-addr.arpa

        • 8.8.8.8:53
          29.243.111.52.in-addr.arpa
          dns
          72 B
          158 B
          1
          1

          DNS Request

          29.243.111.52.in-addr.arpa

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\224roxre\224roxre.dll

          Filesize

          3KB

          MD5

          d495af8b53f29f1d04f3b3d4136a95d8

          SHA1

          c25324b91f298778bbe372f18a9c8dc9ca47df4c

          SHA256

          848571c101ed39bd8d6d1a1b2be66d376fe7fcde5865e3210237b7bbc101a013

          SHA512

          0b04373e9e545a2a7cc46bf36b52e851e0a7c382d90397c98474264f0a47fd6c63265f0cc432ceb1432f56c81c7d05f19b6ce38be0cbd871c316892daa43ca8c

        • C:\Users\Admin\AppData\Local\Temp\Neurocoin.exe

          Filesize

          47B

          MD5

          447e47ca1fe8ea0ee113c82580a90752

          SHA1

          b353067d653aa17150deb0e5943f517948070b21

          SHA256

          5684d1afb88220efeba965a9e28eac2f830e22a3d57348e66e4a5d4e799664f5

          SHA512

          4b52747210cada19b4d1964c7d6d6d7697570497e1084b153835ae8a67b5e284178fc807ddbf32cfffac564ccf69a21d7a80b407fc55799d23c71d1fe68c3b3d

        • C:\Users\Admin\AppData\Local\Temp\RESC870.tmp

          Filesize

          1KB

          MD5

          f21b2bb52d2ce2a3fc0af3067a26e95e

          SHA1

          403e901893afbdb97bebb3e2329d63da99153130

          SHA256

          19934e336d19c617d23cc4665ace0ae0767b7f40d8f183735fe8cf8b420c43f1

          SHA512

          09a5df69506fc70a104e4e71340f3939dd62a6469d7f81ef04810b3be6fcdea391ef9000e4770822401770134957cdeb7291b8d5cf7112f4c2f0c7339da0c12c

        • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

          Filesize

          5.6MB

          MD5

          c549fe02bb65c0c2977c741c7ed4fd80

          SHA1

          8475e459ba2fe572c53b08c061a5b24e074832a1

          SHA256

          d0d221d0a152430a62531fd46b7c1f43721110da2bb3ee2f5688e484b143aceb

          SHA512

          b51e81d073dc1bbdeea1f0dcf66901f2996faa5f30657e354c0c9271ad0f58ce0cc20744f8287afd81904d10148032038f2bad33e45d49685f7dce73e0a52b3a

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yx0s54g.i1x.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\temp.ps1

          Filesize

          379B

          MD5

          18047e197c6820559730d01035b2955a

          SHA1

          277179be54bba04c0863aebd496f53b129d47464

          SHA256

          348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

          SHA512

          1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

        • \??\c:\Users\Admin\AppData\Local\Temp\224roxre\224roxre.0.cs

          Filesize

          311B

          MD5

          7bc8de6ac8041186ed68c07205656943

          SHA1

          673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

          SHA256

          36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

          SHA512

          0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

        • \??\c:\Users\Admin\AppData\Local\Temp\224roxre\224roxre.cmdline

          Filesize

          369B

          MD5

          76ba342126a0665a25a06b26260dd144

          SHA1

          248e13c80281802a75a9ef70fce5966635a83b4b

          SHA256

          7c31cdeaf2c5686bbf34b23c8932b6e90b8cd6e7518e89ed004d5280946ad7cc

          SHA512

          ad5f7bedf237672af193fa9c33651c29132cd1a5c536797a02416db5fe8b6cc240d14d97a78376a0f59cc04101c905eaf155e0067c1c953768a89de36a4ae1c9

        • \??\c:\Users\Admin\AppData\Local\Temp\224roxre\CSC6B2D58CED1B24907A471F863E6FA48B9.TMP

          Filesize

          652B

          MD5

          0a282bc4b88b9da8fd4ccf7b31b64664

          SHA1

          c1dde99fc49fdbf3e53a0e37246cd8aec03dab7e

          SHA256

          3c7dc0e224bca15f2504a70a3fd13feedff29f4eceeb3e67c19da0c4846aac96

          SHA512

          5644332cd3b5e5468d967a5f30cd92b82605cb585a5d3b3266b1e7f13d03fda31f6b7248f3030e1a89dc71e759c9f1c0f1c1fd9ff455b173fac3dbcb14c6f06c

        • memory/2120-36-0x0000021A20C30000-0x0000021A20F54000-memory.dmp

          Filesize

          3.1MB

        • memory/2120-37-0x0000021A20FA0000-0x0000021A20FF0000-memory.dmp

          Filesize

          320KB

        • memory/2120-38-0x0000021A21490000-0x0000021A21542000-memory.dmp

          Filesize

          712KB

        • memory/2120-41-0x0000021A21010000-0x0000021A21022000-memory.dmp

          Filesize

          72KB

        • memory/2120-42-0x0000021A21070000-0x0000021A210AC000-memory.dmp

          Filesize

          240KB

        • memory/2276-27-0x00000221BBDA0000-0x00000221BBDA8000-memory.dmp

          Filesize

          32KB

        • memory/2276-14-0x00000221BBEC0000-0x00000221BBF36000-memory.dmp

          Filesize

          472KB

        • memory/2276-13-0x00000221BBDF0000-0x00000221BBE34000-memory.dmp

          Filesize

          272KB

        • memory/2276-3-0x00000221BB930000-0x00000221BB952000-memory.dmp

          Filesize

          136KB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.