Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 02:39
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
455889b66765b1638dd978a0280f1c7e
-
SHA1
774c78b88528e366cb46ba6723f7bbc7dbb192c1
-
SHA256
4ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
-
SHA512
df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
-
SSDEEP
49152:avBt62XlaSFNWPjljiFa2RoUYIWXhymzg8oGd5ZTHHB72eh2NT:avr62XlaSFNWPjljiFXRoUYIWXhnp
Malware Config
Extracted
quasar
1.4.1
Office04
JJ:4782
192.168.10.1:4782
9a10c5be-59aa-4915-9bd2-d92256f2c938
-
encryption_key
83ADBC9532F819159CF9138DCD18B9BF646C2117
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Discord
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 12 IoCs
-
Drops file in System32 directory 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 12 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of SetWindowsHookEx 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vTJhAMRdu0xA.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650014⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost4⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f5⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IWRBreJMAY1g.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650016⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost6⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f7⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Os24SjFkgZMu.bat" "7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650018⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f9⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Gmt15C0tlnyQ.bat" "9⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500110⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost10⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f11⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5sl2sByjy5yn.bat" "11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500112⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost12⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f13⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NJCbEb38jYg0.bat" "13⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500114⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost14⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"14⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f15⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GNlhsWQ56tDh.bat" "15⤵
-
C:\Windows\system32\chcp.comchcp 6500116⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost16⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f17⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KfbUQUNH8rYm.bat" "17⤵
-
C:\Windows\system32\chcp.comchcp 6500118⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost18⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"18⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f19⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bR8qDo1zJs5s.bat" "19⤵
-
C:\Windows\system32\chcp.comchcp 6500120⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost20⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f21⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ASd2dF4IkSt.bat" "21⤵
-
C:\Windows\system32\chcp.comchcp 6500122⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost22⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"22⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f23⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nL4qZEbfKBlu.bat" "23⤵
-
C:\Windows\system32\chcp.comchcp 6500124⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f25⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PXi1ac8TDLKk.bat" "25⤵
-
C:\Windows\system32\chcp.comchcp 6500126⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost26⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD58f0271a63446aef01cf2bfc7b7c7976b
SHA1b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA51278a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5
-
Filesize
196B
MD5da5cb3f1ad57556ea4f4182856c264cb
SHA1d5c1dfcadfc85844f89b34835080e7d73ab2370a
SHA256305f2e6a40eb48e888430e9efad08968c8abf858a9d03a692a13f8a9b9185d1a
SHA512ac42bd77415a467c17c13d3bff46278b8a220f6754e3fb270c3b026c49cddabe774e6d23759ff46b6c04f81b845e4dc5ef63454b84388b824570d87b0f1ef353
-
Filesize
196B
MD53a1984875f09053198df29db6737df8a
SHA1063b08be4cec9a3a9ada97761746383a27d923f0
SHA256f7b0be8fa8cd7cae2327abf820304866f14a2a06008f76f96b2f7c809734d15b
SHA5120f21fabd02b4dd3e9520b53b3d9e1c384dfb94fd6dd3381e90bf7a88219ea1a674cb08ffbf46d93ebabb386a7127223cd69c816770e9b1c74cba5c2bf8eff753
-
Filesize
196B
MD5e726c492c7af425f5b2285d2d4f1663a
SHA1a5b7bdb2adfc8dc9c5d916870ac2fb3c08bd2443
SHA256d98859c76f739a83b742307a304defb61d43e197a26dfecb738e2ed3a7e797f4
SHA512c35a51effaab6cde290b57a833a4c7df57118cc723f8c08e42942ce73bdd448cad889073000a0d33a13806ae62a076e79fb6d065e4cff7128c221268b244766a
-
Filesize
196B
MD5711bb74c669b9a3215b293802b2220a6
SHA167afd7742419e5081dbbac6667130b7f7e60e414
SHA2567f09c1a80ce3aae0409d16f6756fe5955d9167383462cb7d5e67b134e4d26f89
SHA5121350e5bef4575b5f4274b5c4cc10bc241dc28f43ccf45e1d11715e90361775bb5552b59a967623a0f2867aef881b5b0edb074c5d730ffcc9602075cec2bcfcd0
-
Filesize
196B
MD58caac39d30a6f8879004e9cdfae242ed
SHA1c5db76a54fe6fa54f85c8aed51b5f97285c9584a
SHA256e8d8fb9a6d2a4de5811ab230108a47cca716e3265736a5518f2a10bcbf2e16a2
SHA5122eef830c40663f9e15718f209e3b25d1509301d3be7c7fe5660e1e2ecb14ebd59ee6c3b664a16ccef8536b18336dab217987a0b052f33293129a2197d2691aaf
-
Filesize
196B
MD59bebfd88f8ac111d476b1e76dd902d85
SHA1c91a0ff54b089225136443acac7a459329c012ba
SHA256f704f4e6b3e0149c6fde7d594b75515fc9a5355876e74d9b29ced5c5e2abdca0
SHA5127cf64014db0800fa7642469a77e33ed94bf255b882d0d3a4969d00fa2006eecd67cb641ef8e1bcb9e9b1e525859a8488e2985207c40d23e3d30972daa51482aa
-
Filesize
196B
MD5e68e34016bc1a0af3be2b4544a16b0b4
SHA19ed6402739bb86fbec8667b269f21e5c7c4fef6d
SHA256a3b06fbb5805e4738bae4eb61f514c3ac9f728f51662d3bed494f3f7d820373e
SHA5124f141d7182e1acb56a73a5020cb42d0be37a5a4505629a7043a817b0450e29cafcacae470119084f66a677f5cacf2f7abc7d148b5d660ec2d8dd00d767825038
-
Filesize
196B
MD5aaa4ef73a3ee6940d9cae394471b7263
SHA137c3a126e5355a67498ef9fe604ef4683401c9b9
SHA2560a0921e6dc540de54a24f8451db6361e1f0670c34013ea72287daf8038019273
SHA512d1729b88634b3fb1d66806e5e4958dad2d10c33e47784ece77bcae2b28408e45ace447ef5783c7f19be194dff7c66167e8c6e00c7af58c49265f385f8d95e2be
-
Filesize
196B
MD56e6e837820f4cae043e360e40af69f2a
SHA18c131552f7bfd268a6cb507f0e8893d30b919083
SHA256a2af6b94336ab3cf71b5357f4e0cf97b37aa9abbfc61df669be12d64b14ea2fb
SHA5129b84901aaec7dfa80226e59bcd4f2518a76a7482ef7e6e3496a6cd6edc1732c6925c71aa30662682f246d0ff7c5fc4021d9f7587b4da216733daef2d079c3d12
-
Filesize
196B
MD5073f64d0bd601ca658ce9d1093b738e3
SHA19587e377d423bce4477121691e9f45f3c24b74b6
SHA2567ea87ce4baf270859cd318c8ee1e3b328b31a422708ad02c865457b10d94eda6
SHA5125e24c061be7db2a214341edbd97745343ffde7e049c2c80e875586c2890a1ad181eb069a652cefcf0953464160436cd725e4c57140b711839629961544d3e757
-
Filesize
196B
MD5ff4c7da7e9c95f1b4df7f9164d138ccd
SHA1288b167326aa79df9c8cad13ee1883941f3d6684
SHA256d49fd77067fbf3a13dbde934166bb58f18dfb40a5fd089d4e27ce1c4fc0693fb
SHA512f08fe04b7feac95bdc4fc67a250474c1107b7a1c7a70cc80ba64fede7e6dac822cfca910d31075788d8bb49c643fa4fe0f3c7656e88565b097c8c4013cc7ed8f
-
Filesize
196B
MD533c5e4eb6583b4b20fbc4c10f2c1b9a4
SHA11cca612e1d64ffcba82c2f45269e19de3c5d0e84
SHA2567b554868267f5e9b9a4c58b7a5551e1fd2260f8e63594116966b6f9b98ef9602
SHA512644375d2ed5da5971a30c75a4f7259d8746eb56c9d155509909451b8dffa55d7b0be7ab2dff0427bdaebd94e013b758040a84a826e6df830647c704d78806c75
-
Filesize
3.1MB
MD5455889b66765b1638dd978a0280f1c7e
SHA1774c78b88528e366cb46ba6723f7bbc7dbb192c1
SHA2564ad66f08167a301d51c613fa49c846297787a2fbc57d526c4885b419f61bb78f
SHA512df5c6d8615e1f41f4d908b62f052805ee8b9dd50d129a9ae2da66888cb60b985a841b00f74090c436e05d6b26672d6fc9957a551cbbf30d91a2af4d5d81e3d3e
-
Filesize
10.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
3.1MB