Overview

overview

10

Static

static

10

newwasdwasd.exe

windows10-2004-x64

10

newwasdwasd.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    142s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    25/12/2024, 19:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    newwasdwasd.exe

  • Size

    3.1MB

  • MD5

    048106e39bf4014d0c3e0481becddb92

  • SHA1

    7f12cc9a25a07a9ff47d34fa53fed13144b07342

  • SHA256

    ef2a326a4226caafa7542e93fc2aa474874907eb369dfca8dea080a4a8fa854d

  • SHA512

    1ff8fbed8e2775f5559ece342c133e8018c9df6ab1ebec66b45312a4ab79f8c275516c1a4fd1cd1d37af7e0382f44a90e3e7e8078790296eb7e793122cee00ff

  • SSDEEP

    49152:7vwhBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaQSSMf3VoGdwTHHB72eh2NT:7vit2d5aKCuVPzlEmVQ0wvwfQSj

Score
10/10
quasarminecraft_updaterspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

minecraft_updater

C2

98.97.12.133:631

Mutex

182d06ff-972f-4a96-b344-59a01694d374

Attributes
  • encryption_key

    C5904FDD788EA00F921C538B9FE80C0B0A0DE728

  • install_name

    MinecraftUpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    MinecraftUpdater

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\newwasdwasd.exe
    "C:\Users\Admin\AppData\Local\Temp\newwasdwasd.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3768
    • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "MinecraftUpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3836

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
    Response
    nexusrules.officeapps.live.com
    IN CNAME
    prod.nexusrules.live.com.akadns.net
    prod.nexusrules.live.com.akadns.net
    IN A
    52.111.243.30
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
  • flag-us
    DNS
    nexusrules.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    nexusrules.officeapps.live.com
    IN A
  • flag-us
    DNS
    30.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    30.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 98.97.12.133:631
    MinecraftUpdater.exe
    260 B
     5
  • 98.97.12.133:631
    MinecraftUpdater.exe
    260 B
     5
  • 98.97.12.133:631
    MinecraftUpdater.exe
    260 B
     5
  • 98.97.12.133:631
    MinecraftUpdater.exe
    260 B
     5
  • 98.97.12.133:631
    MinecraftUpdater.exe
    260 B
     5
  • 98.97.12.133:631
    MinecraftUpdater.exe
    260 B
     5
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    370 B
     231 B
     5
    2

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    nexusrules.officeapps.live.com

    DNS Request

    nexusrules.officeapps.live.com

    DNS Request

    nexusrules.officeapps.live.com

    DNS Request

    nexusrules.officeapps.live.com

    DNS Response

    52.111.243.30

  • 8.8.8.8:53
    30.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\MinecraftUpdater.exe
    Filesize

    3.1MB

    MD5

    048106e39bf4014d0c3e0481becddb92

    SHA1

    7f12cc9a25a07a9ff47d34fa53fed13144b07342

    SHA256

    ef2a326a4226caafa7542e93fc2aa474874907eb369dfca8dea080a4a8fa854d

    SHA512

    1ff8fbed8e2775f5559ece342c133e8018c9df6ab1ebec66b45312a4ab79f8c275516c1a4fd1cd1d37af7e0382f44a90e3e7e8078790296eb7e793122cee00ff

    Download Submit

  • memory/2848-0-0x00007FFB5DE53000-0x00007FFB5DE55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2848-1-0x00000000003C0000-0x00000000006E4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2848-2-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2848-9-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3364-10-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3364-11-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3364-12-0x000000001BE10000-0x000000001BE60000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3364-13-0x000000001BF20000-0x000000001BFD2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3364-14-0x00007FFB5DE50000-0x00007FFB5E912000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.