Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1033s
  • max time network
    1043s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18/01/2025, 08:05 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    e95dbcf6b36ef995310b6eaf26ebe3f7

  • SHA1

    34fab34a2311b2c67ca62e17f368a9e45390e32a

  • SHA256

    d28acb4d213710a1244890036bdf80713c4a33584e8036d379802c1881e90f24

  • SHA512

    87064ecafbd5c2bf2d3c2d5944568b6c8860d62081210fc8f1000269b4d280958e96ece246379c7de43c83c28aabd59463777a7056d93f6de026d8d2c61c85e4

  • SSDEEP

    49152:bvyI22SsaNYfdPBldt698dBcjHlVSl1J/CoGdPTHHB72eh2NT:bvf22SsaNYfdPBldt6+dBcjHlVS0

Score
10/10
quasarmyscasmmerspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Myscasmmer

C2

192.168.0.26:4782

Mutex

eb08c9a6-9a1e-4b9d-a7ab-8e6e44c6fc66

Attributes
  • encryption_key

    2E42F13569D1CAF4CA99640EB8D8A7A5AA13B260

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:796
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2296
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2408

Network

    No results found
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
  • 192.168.0.26:4782
    Client.exe
    152 B
     3
No results found

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    e95dbcf6b36ef995310b6eaf26ebe3f7

    SHA1

    34fab34a2311b2c67ca62e17f368a9e45390e32a

    SHA256

    d28acb4d213710a1244890036bdf80713c4a33584e8036d379802c1881e90f24

    SHA512

    87064ecafbd5c2bf2d3c2d5944568b6c8860d62081210fc8f1000269b4d280958e96ece246379c7de43c83c28aabd59463777a7056d93f6de026d8d2c61c85e4

    Download Submit

  • memory/796-0-0x000007FEF5423000-0x000007FEF5424000-memory.dmp

    Filesize

    4KB

    Download

  • memory/796-1-0x0000000001080000-0x00000000013A4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/796-2-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/796-8-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-9-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-10-0x0000000000E70000-0x0000000001194000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/1572-11-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1572-12-0x000007FEF5420000-0x000007FEF5E0C000-memory.dmp

    Filesize

    9.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.