Resubmissions
22-12-2024 02:36
241222-c3x8xsznby 1022-12-2024 02:36
241222-c3ndqazna1 1022-12-2024 02:34
241222-c2nyvszpek 10Analysis
-
max time kernel
79s -
max time network
79s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-12-2024 02:34
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
455889b66765b1638dd978a0280f1c7e
-
SHA1
774c78b88528e366cb46ba6723f7bbc7dbb192c1
-
SHA256
4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
-
SHA512
df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
-
SSDEEP
49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp
Malware Config
Extracted
quasar
1.4.1
Office04
JJ:4782
192.168.10.1:4782
9a10c5be-59aa-4915-9bd2-d92256f2c938
-
encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 8 IoCs
-
Executes dropped EXE 7 IoCs
-
Drops file in System32 directory 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 7 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\JCRFR6uGHNH2.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\MQ0z5b9mHZMe.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\dMdFvF6zrGHZ.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\c36tOAWDZCAm.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\yEjwvqvq9TaB.bat" "11⤵
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\B4yGCPFwKt6L.bat" "13⤵
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\wEugoKbW6TiB.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
196B
MD5c45c9be151a5029cc98b7f0dcf5bdae8
SHA155fc796c305b2ce4905e9f887bda987d374b60f3
SHA256485d98b5fc156d019dce9fe3c97038ccd42db30664e2dfc154c54c303f46bd3e
SHA512e2ccc716ce7245125fb27d3f56dd2bec7dbaa8d85f69e99fe6f0d011f319784b214f9bd07aaafed9977051a68e4a855d59cfaa790dd5ca67c9a5390aa72b9817
-
Filesize
196B
MD5ade1f7586c027a2b8f7f41aedebf7c3d
SHA17cd97c7dc2121c69dbcf8963304bc284a846d880
SHA2568ef1c3259f17f5347604bd66823ceca5cc9a74fb63d2771d082b559bb0e573a8
SHA51233b990bb269698adaf9527b2cc02549b23883cc251d647cb0d011106bb12fc0529817c224340195a6117d5d8d82493d013f0668cca2c27591112b78ddbc2e926
-
Filesize
196B
MD5b5187b896233276672c942139e4a83b9
SHA1c01f6ebc27c58668a7da795567d4a085fb80a0c0
SHA25664a38c88bf50c7d6b5a6521fe5815a00f0e84e4c33c0e49c3268a3d8b84cee8d
SHA5129ad753c7c2b7d1dd65ed28be44897a615b015cff40713ca3fed402ca285c4b1b26f4443b81464bbe425319b581677e7fa1b90562d463c41b5e9c1536fe6dc772
-
Filesize
196B
MD57007be9c8b528b1b961b031a10999fcc
SHA13eef9bba943735bb579c1115b666eca5df558fbe
SHA256948e22d5e2ba2cd36d0ef13317a72bc59e6091a6de394c2cd3e5415db1839a61
SHA5125f82ec4503af65e839053da6777d78fe34b8ea7cf125fbdc92c7af64fedfb4a080603395adbbdcacc9a8823ed14a94541911a2fa7c4c8166d17a20fdd74e1b66
-
Filesize
196B
MD5a55c203103868e7d7157cfc5b827e151
SHA1005db4b8340f3483958448aa28f2860d73bbeeaa
SHA256543c87aedc05615c553887c9b4277aea317ce1ecd170e6dc1924b4a2aadd67f3
SHA512fcc1245be89dd260c0cfe94ee05f75e1407a3ad9074f9ae5a7a65afbf94139b096b3e87b1dbe9562ea2445415b35e6c2f4f00d97e608b86f6962160cc79231d6
-
Filesize
196B
MD58561989a1759f663c8ef19154fe5c5dd
SHA1cbbd3ed3b54c941a633b87aaaee36e59f2e3a99d
SHA256f7c032f8f4e953357b168cfb363e3242bd62d71a95e768bb076950d39cbc97a9
SHA51231d67e6b6638e961ff87cfd07020ee690c1607096aa4902ebbe42d19003c70115e5fd94605b2f65d25533812d321325cbb039539ec8929b7d5fd4093457769ae
-
Filesize
196B
MD528c6c07414b7d86601915511c6bed4aa
SHA18bf80f5ae8257d12b1b05404e2e55a6bbe1db685
SHA2560e7489bdb56e4f6e6bf7e7f2025e1e59603a87e09df1bc8a667613c444fb857e
SHA5124c7961bb8a3753001e29cb297653ea91c1a057a5ed27be4c3c170cb9046b13f576e5ef08a9b64db6d733f79f006c8183d21569768b4a78e3e1bb5fda1756e19f
-
Filesize
3.1MB
MD5455889b66765b1638dd978a0280f1c7e
SHA1774c78b88528e366cb46ba6723f7bbc7dbb192c1
SHA2564ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
SHA512df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
3.1MB