Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
31-12-2024 07:40
General
-
Target
diskutil.exe
-
Size
3.2MB
-
MD5
64037f2d91fe82b3cf5300d6fa6d21c3
-
SHA1
61c8649b92fc06db644616af549ff5513f0f0a6d
-
SHA256
33aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e
-
SHA512
2a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008
-
SSDEEP
49152:Kvkt62XlaSFNWPjljiFa2RoUYISyMDJERHWk/OgRoGduATHHB72eh2NT8:Kv462XlaSFNWPjljiFXRoUYILMDZq+q
Malware Config
Extracted
quasar
1.4.1
Helper Atanka
193.203.238.136:8080
14f39659-ca5b-4af7-8045-bed3500c385f
-
encryption_key
11049F2AEBDCF8E3A57474CD5FBA40FB2FFC5424
-
install_name
diskutil.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
diskutil
-
subdirectory
diskutil
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\diskutil.exe"C:\Users\Admin\AppData\Local\Temp\diskutil.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "diskutil" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\diskutil\diskutil.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD564037f2d91fe82b3cf5300d6fa6d21c3
SHA161c8649b92fc06db644616af549ff5513f0f0a6d
SHA25633aab91831bba3a5fea7f49da16d5506254d66377d3074ff9457af4220be670e
SHA5122a70ef0c4d3a2237175078f0e84cd35d7d595422c3aa5219d6f0fe876f82cf60e1d4f592a58f166cf8175c52d275c21950c5ea421416fee8877dfaec5b9be008
-
Filesize
4KB
-
Filesize
3.2MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.2MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB