Analysis

  • max time kernel
    91s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 06:40

General

  • Target

    dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe

  • Size

    83.0MB

  • MD5

    4117eceb35a8705eba8b0ed2148ad7d7

  • SHA1

    1f0f47d0f8fc9f7d11467681473c563bf3624834

  • SHA256

    dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949

  • SHA512

    ad1fb197cf8fc7ebc536bd8787b655e8bd947e23ea64ad7a6da16238f5d4b4f8b3f0e30efc01ce0c0bc27f31dad1afdd97bb13aae3992a78e5214c7b761c4fe0

  • SSDEEP

    393216:T4TPZVLWruiFVks+9j54GXvitZQLCO5SXDqQu58EISEhoIaE2FShABZDv25PPa2W:TKRVQxhu0P8Lq1LEvxOOx5Sk

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Staking

C2

51.15.17.193:4782

Mutex

ff4f56ac-24e1-40ed-bb5c-e0b45b489ee4

Attributes
  • encryption_key

    97599F6E5D14A784CC4DD36B18A277119042FDA8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 1 IoCs
  • System Binary Proxy Execution: Regsvcs/Regasm 1 TTPs 2 IoCs

    Abuse Regasm to proxy execution of malicious code.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe
    "C:\Users\Admin\AppData\Local\Temp\dac0e42cfa82a24f701aaf85aaf09fe6c429d7820b90a9050a381e5c540cb949.exe"
    1⤵
    • System Binary Proxy Execution: Regsvcs/Regasm
    • Drops startup file
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "type C:\Users\Admin\AppData\Local\Temp\temp.ps1 | powershell.exe -noprofile -"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4756
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" type C:\Users\Admin\AppData\Local\Temp\temp.ps1 "
        3⤵
          PID:540
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -noprofile -
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nkeblmsi\nkeblmsi.cmdline"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:3928
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7B7.tmp" "c:\Users\Admin\AppData\Local\Temp\nkeblmsi\CSC846EB28DA9CE48E7A217821F679F181.TMP"
              5⤵
                PID:1648
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"
          2⤵
          • System Binary Proxy Execution: Regsvcs/Regasm
          • Suspicious use of WriteProcessMemory
          PID:5016
          • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
            C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
            3⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2276
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe"
          2⤵
            PID:5028

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\BTCTools1.exe

          Filesize

          9B

          MD5

          9d1ead73e678fa2f51a70a933b0bf017

          SHA1

          d205cbd6783332a212c5ae92d73c77178c2d2f28

          SHA256

          0019dfc4b32d63c1392aa264aed2253c1e0c2fb09216f8e2cc269bbfb8bb49b5

          SHA512

          935b3d516e996f6d25948ba8a54c1b7f70f7f0e3f517e36481fdf0196c2c5cfc2841f86e891f3df9517746b7fb605db47cdded1b8ff78d9482ddaa621db43a34

        • C:\Users\Admin\AppData\Local\Temp\RESB7B7.tmp

          Filesize

          1KB

          MD5

          36f54519e3bbf770c59398f2ced3a64c

          SHA1

          fd9fd56628bc87d2ab2351b57a4b242c9841008b

          SHA256

          1df807e9b8176f3d1942308456520b8261b84844f0f6fa8b460ac9d61aa01d25

          SHA512

          f9354b35dab5842284f265347f7174a6aa3c3b564d05de8cc38fe6f735bbed287b8a52b9878c883ba9af760f43140ff6650cc57b0e74ecb4ced5ef9fa50a2719

        • C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

          Filesize

          4.8MB

          MD5

          9a7cea63db91937ec2fa0c4a40dcde82

          SHA1

          dbc121740eb6aa3221beadd3ae69df1ce095c441

          SHA256

          687c5903af67e7ae2df617f249ef22502998e4524ccb34a27eaac389b8e61728

          SHA512

          36e6a806125b1d80e97482f0b03a7481a136f01d2808169f171d89c54d2faf6f5b6913f4751dc737d5dc672f63622e379fd87f306cec2e076d8a5e73d33059dd

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rb1jkz5f.qhp.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\nkeblmsi\nkeblmsi.dll

          Filesize

          3KB

          MD5

          30cecef8e1e6fd9c0a261b52d9151303

          SHA1

          576d05f75ac06a6fa2cd37e29c9448e295b49747

          SHA256

          fd3b75b8e36e746c7d40279bce9d467665c1d186ff4188fa51739150080abd73

          SHA512

          66d2ae4a6e0c7dffdf71a51ed7b06142dde8afb50e28a9945531e69e9bd5ddf5ac93ac4d1c9a3a868e19ff4697b875000f669ed5a01ff77ece16173142c6d3d8

        • C:\Users\Admin\AppData\Local\Temp\temp.ps1

          Filesize

          379B

          MD5

          18047e197c6820559730d01035b2955a

          SHA1

          277179be54bba04c0863aebd496f53b129d47464

          SHA256

          348342fd00e113a58641b2c35dd6a8f2c1fb2f1b16d8dff9f77b05f29e229ef3

          SHA512

          1942acd6353310623561efb33d644ba45ab62c1ddfabb1a1b3b1dd93f7d03df0884e2f2fc927676dc3cd3b563d159e3043d2eff81708c556431be9baf4ccb877

        • \??\c:\Users\Admin\AppData\Local\Temp\nkeblmsi\CSC846EB28DA9CE48E7A217821F679F181.TMP

          Filesize

          652B

          MD5

          74cdb11092e0f9aa051424f381419af7

          SHA1

          e9865c8dfa19704d0517b79d2738debd4cc4e489

          SHA256

          9266e692899f73f668a38165da7042e6a38f3edbc9d5de58ee510ef2f9b7eca0

          SHA512

          b55051acd4bc87e03cc638f824c6364e4d538807547dbcd7d18a57d100b2ef232272d8158252bc0e7fdcf9e5c502350c8c2d5043bd9c7ee896b71d29332ddcb7

        • \??\c:\Users\Admin\AppData\Local\Temp\nkeblmsi\nkeblmsi.0.cs

          Filesize

          311B

          MD5

          7bc8de6ac8041186ed68c07205656943

          SHA1

          673f31957ab1b6ad3dc769e86aedc7ed4b4e0a75

          SHA256

          36865e3bca9857e07b1137ada07318b9caaef9608256a6a6a7fd426ee03e1697

          SHA512

          0495839c79597e81d447672f8e85b03d0401f81c7b2011a830874c33812c54dab25b0f89a202bbb71abb4ffc7cb2c07cc37c008b132d4d5d796aebdd12741dba

        • \??\c:\Users\Admin\AppData\Local\Temp\nkeblmsi\nkeblmsi.cmdline

          Filesize

          369B

          MD5

          c64a3d54c3679267e0a565444fbb299e

          SHA1

          875abadeca59b22b523c57a1214f43328b535ba5

          SHA256

          e87b7572791ab1f23dc437fffdcf0f7de97ab1acb9ae4f2fdc3432d58bb852be

          SHA512

          66fab87334e4d44a0b746b14adb4955353315d3b56ea5f8751b420ca8560035e918a74a786e649e19ef361ca6ef25adb91775d1b396a77e403f6167dba3441c1

        • memory/2276-39-0x00000137E4F60000-0x00000137E5284000-memory.dmp

          Filesize

          3.1MB

        • memory/2276-40-0x00000137E5280000-0x00000137E52D0000-memory.dmp

          Filesize

          320KB

        • memory/2276-41-0x00000137E5780000-0x00000137E5832000-memory.dmp

          Filesize

          712KB

        • memory/2276-44-0x00000137E52F0000-0x00000137E5302000-memory.dmp

          Filesize

          72KB

        • memory/2276-45-0x00000137E5700000-0x00000137E573C000-memory.dmp

          Filesize

          240KB

        • memory/2552-13-0x00000244367E0000-0x0000024436824000-memory.dmp

          Filesize

          272KB

        • memory/2552-12-0x000002441C4C0000-0x000002441C4E2000-memory.dmp

          Filesize

          136KB

        • memory/2552-27-0x00000244367B0000-0x00000244367B8000-memory.dmp

          Filesize

          32KB

        • memory/2552-14-0x0000024436C10000-0x0000024436C86000-memory.dmp

          Filesize

          472KB