Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06-01-2025 15:53
General
-
Target
crackedghost.exe
-
Size
3.1MB
-
MD5
8fb6e61c70265d45b480e1eca5b30e76
-
SHA1
0a21e12daefaeda97e884c115692e3ddaa3e0c8d
-
SHA256
d4a60c83d98c9d6c74eec924ec2e2162e52b1b891c86879e362f53e16c368c02
-
SHA512
c90dcbee2100579d3344e730e4c5d3237a9d160cd0d9ac852d50d3839ded2dc23957bd2ff9b902b0858a9f233e5169745de03d409c6afaeee6b5099ac096f77c
-
SSDEEP
49152:evyI22SsaNYfdPBldt698dBcjHxACw9BxISoGd7sTHHB72eh2NT:evf22SsaNYfdPBldt6+dBcjH/wzL
Malware Config
Extracted
quasar
1.4.1
Office04
192.168.1.54:4782
1f2a5187-d470-4222-a3bc-7922d33f971c
-
encryption_key
5D09CC3094EDBAD95E2D5D556E759224738027A3
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\crackedghost.exe"C:\Users\Admin\AppData\Local\Temp\crackedghost.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58fb6e61c70265d45b480e1eca5b30e76
SHA10a21e12daefaeda97e884c115692e3ddaa3e0c8d
SHA256d4a60c83d98c9d6c74eec924ec2e2162e52b1b891c86879e362f53e16c368c02
SHA512c90dcbee2100579d3344e730e4c5d3237a9d160cd0d9ac852d50d3839ded2dc23957bd2ff9b902b0858a9f233e5169745de03d409c6afaeee6b5099ac096f77c
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB