Analysis
-
max time kernel
127s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
20-12-2024 06:13
General
-
Target
Bootstrapper.exe
-
Size
3.1MB
-
MD5
a2986ce26c027866cd7014d2eac00650
-
SHA1
eb2f8daa042072e19eecb20f1f88ed38c0bbd901
-
SHA256
28caba9b2461231879877a8d8f9138e81144b657ebccfa3fbd57974aec9ef0d9
-
SHA512
51794da0b1fc9cc18b93bee836df04ea1299aecae98c260018601261a6f19b84f0b86f746480da872d53e376497160a1556bb5498a52418a44588c6aae72a31c
-
SSDEEP
49152:GvFt62XlaSFNWPjljiFa2RoUYIcVeQVxmGduWTHHB72eh2NT:Gv362XlaSFNWPjljiFXRoUYIOeQz
Malware Config
Extracted
quasar
1.4.1
Rat
services-pos.gl.at.ply.gg:1234
d3bc3858-ff4a-4aa8-97ec-67721ddcdeeb
-
encryption_key
C8D618C9B5D2F91FFC94B6E9C868ECF80EB774F8
-
install_name
Client.exe
-
log_directory
ratted client
-
reconnect_delay
3000
-
startup_key
hello son
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "hello son " /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5a2986ce26c027866cd7014d2eac00650
SHA1eb2f8daa042072e19eecb20f1f88ed38c0bbd901
SHA25628caba9b2461231879877a8d8f9138e81144b657ebccfa3fbd57974aec9ef0d9
SHA51251794da0b1fc9cc18b93bee836df04ea1299aecae98c260018601261a6f19b84f0b86f746480da872d53e376497160a1556bb5498a52418a44588c6aae72a31c
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB