Overview

overview

10

Static

static

10

Test2.exe

windows7-x64

10

Test2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    18s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 22:45 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Test2.exe

  • Size

    3.1MB

  • MD5

    7f888b6cbd5062a7558eea61eb9a9ca2

  • SHA1

    2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87

  • SHA256

    864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

  • SHA512

    7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8

  • SSDEEP

    49152:/v2lL26AaNeWgPhlmVqvMQ7XSKKQSYmzwXoGdVTHHB72eh2NT:/v2L26AaNeWgPhlmVqkQ7XSKKQSq

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

llordiWasHere-55715.portmap.host:55715

Mutex

124c5996-13c0-46a2-804a-191042a109db

Attributes
  • encryption_key

    5F48258CBD7D9014A9443146E8A3D837D1715CAE

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Test2.exe
    "C:\Users\Admin\AppData\Local\Temp\Test2.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1408
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\lzY54pJcYq4K.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\system32\chcp.com
          chcp 65001
          4⤵
            PID:1648
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            4⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2712
          • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
            "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
            4⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2760
            • C:\Windows\system32\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\vbDfdpq6ywbl.bat" "
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1688
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2372
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:2188
                • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2956

      Network

      • flag-us
        DNS
        llordiWasHere-55715.portmap.host
        Client.exe
        Remote address:
        8.8.8.8:53
        Request
        llordiWasHere-55715.portmap.host
        IN A
        Response
      No results found
      • 8.8.8.8:53
        llordiWasHere-55715.portmap.host
        dns
        Client.exe
        78 B
         171 B
         1
        1

        DNS Request

        llordiWasHere-55715.portmap.host

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\lzY54pJcYq4K.bat
        Filesize

        207B

        MD5

        7e423cf5c0ca7b2d2cf8bc2ab10dc407

        SHA1

        925138a10ddc2ca0ec7254a0be6548cb4e880d49

        SHA256

        51b9f21b9fed785b4ad209cac32adbec347f5ad1f6a4b07124795cbbd554e648

        SHA512

        64632ad40780f51df660ef4d1e32fe427d984d50a1f3c52b4334bcdbf2666bfef82d38f75887305f1a93bd3b99a255a1b0d2e20a20d71ca5120ea7e81f050bfc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\vbDfdpq6ywbl.bat
        Filesize

        207B

        MD5

        f15248c1d616a4e9ced65fd29b0eb296

        SHA1

        24fe55f193ad1956b7986983933aa876cb13aa94

        SHA256

        c4dd3e44dbd39bd091da3efd95111e2b09a712842548d2d7faed5896bd5e4bdf

        SHA512

        2fa95fd0ea9e29481d4dfeb3e5b160e014533296fe05dd9a3bc6bb93b234361ea6f5e1e5b022c67f81061c210e4f785b79bd28e797734634665139b35cb93fd4

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        Filesize

        3.1MB

        MD5

        7f888b6cbd5062a7558eea61eb9a9ca2

        SHA1

        2acfb5c3e7b8e569ea52397154b9b3ffb44e7d87

        SHA256

        864bec690da391f258de447606ac18baa79672b665ba321a4da67ed59d567cad

        SHA512

        7da70e844e0fce4b4bbc70db89503b95b6514cabf9ce9cf66fed643f6c11aafc5e7a8f385b5d16f7fa802cc47c9200bf486030834551d14c55078307ef7e93d8

        Download Submit

      • memory/1408-21-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1408-11-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/1408-8-0x0000000000FE0000-0x0000000001304000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1408-9-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2296-10-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2296-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2296-2-0x000007FEF5830000-0x000007FEF621C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2296-1-0x0000000001330000-0x0000000001654000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2956-34-0x00000000013E0000-0x0000000001704000-memory.dmp

        Filesize

        3.1MB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.