Analysis
-
max time kernel
125s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
25-12-2024 05:46
General
-
Target
Client-built1.exe
-
Size
3.1MB
-
MD5
0213a1dc625eaf82e4d4a94ef9155eeb
-
SHA1
af3df68c68a7070079b123ce2f22389a5aa768df
-
SHA256
532a988eeae201a337f328d2120f8af790042da93735c0fc0c17a1063fdf7f60
-
SHA512
67277e020c3776695b2fb854e834a2850dcfd378fed62b84414ead8c1dce7d1859b2799c973f599a4661124912a49c685c8438b3df7e4012ee7777b1ce489f26
-
SSDEEP
49152:Wvkt62XlaSFNWPjljiFa2RoUYIAQYiimzItoGdUTHHB72eh2NT:Wv462XlaSFNWPjljiFXRoUYINYiE
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.20.5:4782
cd5c1121-523a-481c-bbf0-684c5522dd85
-
encryption_key
D49DA0049C9A948B065557C5F7F0C812465A95EA
-
install_name
argonui.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
ArgonUpdater
-
subdirectory
Argon
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built1.exe"C:\Users\Admin\AppData\Local\Temp\Client-built1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ArgonUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Argon\argonui.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Argon\argonui.exe"C:\Users\Admin\AppData\Roaming\Argon\argonui.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "ArgonUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Argon\argonui.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD50213a1dc625eaf82e4d4a94ef9155eeb
SHA1af3df68c68a7070079b123ce2f22389a5aa768df
SHA256532a988eeae201a337f328d2120f8af790042da93735c0fc0c17a1063fdf7f60
SHA51267277e020c3776695b2fb854e834a2850dcfd378fed62b84414ead8c1dce7d1859b2799c973f599a4661124912a49c685c8438b3df7e4012ee7777b1ce489f26
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB