Overview

overview

10

Static

static

10

rbxfpsunlocker.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    100s
  • max time network
    105s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    31/12/2024, 14:37

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    rbxfpsunlocker.exe

  • Size

    3.1MB

  • MD5

    09a5b059ce629f09d69e340065aeb553

  • SHA1

    6b6bff18c4452a25107210a6b59f298229e4ac95

  • SHA256

    ec46dd64a026223ff115efdc51fd486069607041025e89d51f25d112cf33b77e

  • SHA512

    ce94308bf44567e776e54606308089ddc3505c2cd1a8481d37ad128c6edfa1c2a9df418cb7865329ac1901e4c524d8c01042bd1471672a18721f2a9a25dab0bb

  • SSDEEP

    49152:Cvdt62XlaSFNWPjljiFa2RoUYIJeRJ6gbR3LoGdOTHHB72eh2NT:Cvf62XlaSFNWPjljiFXRoUYIJeRJ66

Score
10/10
quasarbeamedspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

beamed

C2

192.168.203.82:4782

Mutex

3dad94cd-63f6-460a-a986-b1841d5dfefe

Attributes
  • encryption_key

    DE46F816EBC96DE37F9233DDE7709263C7680426

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    JavaUpdate

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 34 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 22 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe
    "C:\Users\Admin\AppData\Local\Temp\rbxfpsunlocker.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4740
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "JavaUpdate" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:236
    • C:\Program Files\SubDir\Client.exe
      "C:\Program Files\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3464
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "JavaUpdate" /sc ONLOGON /tr "C:\Program Files\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4212
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:236
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0563986f-d604-4e97-bafe-85473d60558c} 236 "\\.\pipe\gecko-crash-server-pipe.236" gpu
        3⤵
          PID:4480
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54536ad5-26c8-4330-971a-745ecaf58b70} 236 "\\.\pipe\gecko-crash-server-pipe.236" socket
          3⤵
          • Checks processor information in registry
          PID:4968
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3168 -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2940 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd32b8b-1148-4a4a-b3b4-6b26440a98e1} 236 "\\.\pipe\gecko-crash-server-pipe.236" tab
          3⤵
            PID:3548
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4048 -childID 2 -isForBrowser -prefsHandle 4040 -prefMapHandle 4036 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {519f16a8-5420-4415-909e-8d2ce1bbe38b} 236 "\\.\pipe\gecko-crash-server-pipe.236" tab
            3⤵
              PID:2596
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4912 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6d5658fd-b01b-404f-a550-d4a001da39ce} 236 "\\.\pipe\gecko-crash-server-pipe.236" utility
              3⤵
              • Checks processor information in registry
              PID:5572
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 3 -isForBrowser -prefsHandle 5472 -prefMapHandle 5484 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe351c14-c479-49fa-ad50-ff7862da454a} 236 "\\.\pipe\gecko-crash-server-pipe.236" tab
              3⤵
                PID:3340
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5616 -childID 4 -isForBrowser -prefsHandle 5624 -prefMapHandle 5628 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d87c98f-2491-4069-9607-ddec1ee4922b} 236 "\\.\pipe\gecko-crash-server-pipe.236" tab
                3⤵
                  PID:5508
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5808 -prefMapHandle 5812 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {239940cd-1e49-4685-b197-9c2d04f4b8aa} 236 "\\.\pipe\gecko-crash-server-pipe.236" tab
                  3⤵
                    PID:5564
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6880 -childID 6 -isForBrowser -prefsHandle 7228 -prefMapHandle 6264 -prefsLen 33516 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6435dd88-2579-4616-9139-b9b710545228} 236 "\\.\pipe\gecko-crash-server-pipe.236" tab
                    3⤵
                      PID:5404

                Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files\SubDir\Client.exe
                        Filesize

                        3.1MB

                        MD5

                        09a5b059ce629f09d69e340065aeb553

                        SHA1

                        6b6bff18c4452a25107210a6b59f298229e4ac95

                        SHA256

                        ec46dd64a026223ff115efdc51fd486069607041025e89d51f25d112cf33b77e

                        SHA512

                        ce94308bf44567e776e54606308089ddc3505c2cd1a8481d37ad128c6edfa1c2a9df418cb7865329ac1901e4c524d8c01042bd1471672a18721f2a9a25dab0bb

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\activity-stream.discovery_stream.json
                        Filesize

                        22KB

                        MD5

                        0077acc7de4451d8ed16a1fa358eb20b

                        SHA1

                        9c5518cbac6d8838dc1b11618a9a1613e5ad1943

                        SHA256

                        8fefb057ae8b33b1623f109cd9f31faf6f275bc4223a7abddd05e0d70f429e63

                        SHA512

                        d73f03699ec533fae8fdd64f1685d04212686a7b0836165da2696caf0a4737a3fec3544c7dad44d8475be215e5b4023bbfd09b16fbc41ed5bec56c5294e4128a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\tmpaddon
                        Filesize

                        479KB

                        MD5

                        09372174e83dbbf696ee732fd2e875bb

                        SHA1

                        ba360186ba650a769f9303f48b7200fb5eaccee1

                        SHA256

                        c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

                        SHA512

                        b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\AlternateServices.bin
                        Filesize

                        8KB

                        MD5

                        03fb65d2ec4f84fda399888396d0a53a

                        SHA1

                        d82e974c7b0f6cc939c4de25eddaefffaf88a08d

                        SHA256

                        af19beaa9dca6337d84eeebcc2dbd6f4ecc0d330183d8faf88cb83d0450e8d79

                        SHA512

                        df570bc7ee8d2f3a17e548ebf8ac4b45eb27deb1b93ed30c45870bd8521bfbbf275aa58249a27bcb93970026d2f321830b4c8222c829915a546c196d90293569

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        5KB

                        MD5

                        20bb00929b43d0db067f18c12f0dc8fd

                        SHA1

                        f2b7c9b5169187d3b7461265d08cb48bd8669569

                        SHA256

                        68986f2a5e718e918ef3fbaa948a7d83aebaf840359c780d5c705d5d467849e2

                        SHA512

                        f279be1b074b68a1d97433b150080287081ba98fb3af6fc38a69d07369c6828960911f5d88ed7cf921c75b4e871d3a38dcbbb5b477b3d8d6abd4b360ffb0b97d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        7KB

                        MD5

                        af8d9fa83d95109e1f56979802db0e3c

                        SHA1

                        54ba41c32f853d6f3f250988f53ddd0c8fc7fe3d

                        SHA256

                        6269fc3586978f26c05e876708b500ab81e1b11238f9dd1738c2b15616f35672

                        SHA512

                        a8bbd7f813109ced5119090346c8978eda185d3365da665aff3c0673c76bbcfa574bfb67a40438d7df67f13769ff12ca46c08e40b4465ede3da2497ed8d4e4f0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        6KB

                        MD5

                        5b1db7b2c744bb33610f5c10cad8bb06

                        SHA1

                        a7186ca27266f4054f15db75c01039c12155fb95

                        SHA256

                        ce371a573f6f434e280e0fad73293aeb7099581e2413cdc5ab8d4923f70b351e

                        SHA512

                        333e30047dff96fac58bf0ff8d762f95eaff160631fea488565a0c4c63d8bc86a374fd9cc04141b2bb0f9eccaa05119c1d54e2f4dd37c994944f269d12de9936

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\db\data.safe.tmp
                        Filesize

                        6KB

                        MD5

                        3eee42931408ec2443e2c479f65b24a9

                        SHA1

                        a9395d9291daa1128200816476db701dae0f82be

                        SHA256

                        cfa53bd8ea84501341b6ae7078c02e26f13b11cf998ff299e4240aa278a9f929

                        SHA512

                        1f985afe47c54406c7a3ee5134744a330dfeae7d97ecab409810edf75b728a87d03d94dd7607c1beae1734cbba4758f4a01b2a712cba0e061f08664fb12f40c5

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\5ad09b97-60c6-40ae-b17f-db65ebbd7c72
                        Filesize

                        671B

                        MD5

                        8ab375b493d628de28a544281e76ed29

                        SHA1

                        9f772cef6a2074b4e21ebe9aea1d98769c257852

                        SHA256

                        5e5e4cbeaa4b5c6e491363d12479d027e8a9f8e1d6fc5676ca09e40e803f84be

                        SHA512

                        d0bc0c190ef3056363445c53fffbdf17f6f2f181d9f84014fde9ee270ff94f70f2b6485e6add249e294f3a7e57f124d1243bdb15f5ec06c2ad132dfb6650fb6d

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\5f72cf9e-c111-4904-b120-7221e4f15b46
                        Filesize

                        982B

                        MD5

                        15225873e37e0769c01d84216658b27b

                        SHA1

                        82dd8d15114322e638189ae18f9e46d98bec93de

                        SHA256

                        4c122e12256c0f4b483d8335291ee1dc8ef543c55dfac85198fc58c7e35ec276

                        SHA512

                        3228faec2363af215e2c405dfbf59c67e16260356164eae3808dda92b6a00aa37c2b76782a4bbc16c36b09f77b93bc54d5dde5260316b6f8de9fac994a86608a

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\datareporting\glean\pending_pings\fc044a04-c83b-440a-b3cc-502a7d2630e8
                        Filesize

                        25KB

                        MD5

                        bf31e8f07b14429aedb2f33d159a66bf

                        SHA1

                        1235da6fcf3a924f8224b18e66a871174a02bb23

                        SHA256

                        e52bd117b17c73ddd964d24fee3fc7781886c86989c3eb3462aaf9d2a7d99c00

                        SHA512

                        523f2070f0b7c119a7998035f1f6d11716dcf0d09c2244a5fd6adb31d286856b20116ad0eaecf15f7f7605563ddd30cc87ac0031cf92ebbdb7d5ab79c2ed1582

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
                        Filesize

                        1.1MB

                        MD5

                        842039753bf41fa5e11b3a1383061a87

                        SHA1

                        3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

                        SHA256

                        d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

                        SHA512

                        d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
                        Filesize

                        116B

                        MD5

                        2a461e9eb87fd1955cea740a3444ee7a

                        SHA1

                        b10755914c713f5a4677494dbe8a686ed458c3c5

                        SHA256

                        4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

                        SHA512

                        34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\prefs-1.js
                        Filesize

                        10KB

                        MD5

                        2c91069b127c7ccf5926719936672c78

                        SHA1

                        00980681b6bc7d78987608dd3ec5f8213af7682f

                        SHA256

                        175d3e949e731b01d4792f5048974162f6ebfd30b319b9bac83047960d56d7e1

                        SHA512

                        0e4c13e552a5bf9ec60c9dbf28f50ee802716b0821c9316f61db295962522aba816f8dcfd8ffead08f84078215795b94cc77292744094734863be29fc625d9c2

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\prefs-1.js
                        Filesize

                        10KB

                        MD5

                        66c7a0ce49514c29c1b79eac466ec988

                        SHA1

                        638052a935b5252ba91d4c8fea42a4887e30bfb0

                        SHA256

                        1339f73e9c9ef432064d2094a7d1b521514e637a2c7e1f2935dda78aa25b6769

                        SHA512

                        8c7256285d7e370fb43addeade97f4c08c033201443b9091500c3a086f8e79717b16e9c99b791fdcff4f7109812fae0a7fc7f1b4918373b6e34858abe41baadc

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\prefs.js
                        Filesize

                        10KB

                        MD5

                        59b6021462345131cc40d29613c26071

                        SHA1

                        c80298fb110576c336ce11a33408c23f1d161006

                        SHA256

                        c07ec0203878a8ccd300e8ef7fd9da22830c7900675ea706e09c272a006a106c

                        SHA512

                        ca99c0d07900a1104caaefcfc68b42cabc2abfddf6ab641fb15338f163dacde9bcde62e89c34fcb22b4378dba7fcae8aca50f36b1feae1510636737d816d8082

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uhqcqu3c.default-release\sessionstore-backups\recovery.baklz4
                        Filesize

                        1KB

                        MD5

                        d916a8ae68196b51d75f098035798b3f

                        SHA1

                        bed919fb0a754eb03d41f4ed9ba8abae6b4ce2a0

                        SHA256

                        7a3a71aa121f6de236656ef7338c9f9767d7b1b0517917a03f729779052f6dd2

                        SHA512

                        45102f8402e950680a615a555d7b170c5344604fca341794dc93d66dd2b41f02c75145e735e0d7b354061ede7696af000499fa33c1db1dcb6590f8f63fb3e35b

                        Download Submit

                      • memory/3464-11-0x00007FFDCA250000-0x00007FFDCAD12000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/3464-9-0x000000001D1D0000-0x000000001D6F8000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/3464-8-0x000000001C9E0000-0x000000001CA92000-memory.dmp

                        Filesize

                        712KB

                        Download

                      • memory/3464-7-0x000000001C8D0000-0x000000001C920000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/3464-6-0x00007FFDCA250000-0x00007FFDCAD12000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/3464-5-0x00007FFDCA250000-0x00007FFDCAD12000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4740-10-0x00007FFDCA250000-0x00007FFDCAD12000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4740-0-0x00007FFDCA253000-0x00007FFDCA255000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/4740-2-0x00007FFDCA250000-0x00007FFDCAD12000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/4740-1-0x00000000004C0000-0x00000000007E4000-memory.dmp

                        Filesize

                        3.1MB

                        Download