Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
05-01-2025 15:56
General
-
Target
b48f94c872bb4e3596924f7f587b0a54.exe
-
Size
3.1MB
-
MD5
b48f94c872bb4e3596924f7f587b0a54
-
SHA1
748f86a0394486b577978794145328702ac77a62
-
SHA256
e3d17377d59312e36a5e3b503a7259ffeaac4dd742222be0ad9a8ea443d3f7de
-
SHA512
2704c862668c3ad9f9222761b91861b1c84d84021c1309b309f5cd267fc77e542ca2c821dccb2d9ff2f2063dbc5b604204c2969fa68c7a0de3f2e40039655da1
-
SSDEEP
49152:yvtt62XlaSFNWPjljiFa2RoUYIDHxEESEQk/iRLoGdv1THHB72eh2NT:yvP62XlaSFNWPjljiFXRoUYIbxEh
Malware Config
Extracted
quasar
1.4.1
Miner
154.216.19.144:7000
9aaccf69-ec3a-44b7-854b-ecd43ee8e151
-
encryption_key
4A883D3FC8F269324ACDCF0E4B7FFECA042CD47D
-
install_name
Svc.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Svc
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b48f94c872bb4e3596924f7f587b0a54.exe"C:\Users\Admin\AppData\Local\Temp\b48f94c872bb4e3596924f7f587b0a54.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Svc.exe"C:\Users\Admin\AppData\Roaming\SubDir\Svc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Svc" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Svc.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5b48f94c872bb4e3596924f7f587b0a54
SHA1748f86a0394486b577978794145328702ac77a62
SHA256e3d17377d59312e36a5e3b503a7259ffeaac4dd742222be0ad9a8ea443d3f7de
SHA5122704c862668c3ad9f9222761b91861b1c84d84021c1309b309f5cd267fc77e542ca2c821dccb2d9ff2f2063dbc5b604204c2969fa68c7a0de3f2e40039655da1
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB