Overview

overview

10

Static

static

3

2b85704b2d...88.exe

windows7-x64

10

2b85704b2d...88.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20-01-2025 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe

  • Size

    10.7MB

  • MD5

    436052b37a3752148c885667e34dd9c3

  • SHA1

    59dbc9e97fb1c74ae666bc87e9ab2f453f780006

  • SHA256

    2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88

  • SHA512

    c6ef01300bb1350d64e5a4d5f48a1c013f8638ac9240820d2d27e951b0ca4b105ff2ee66a07bb3954178c7df8435dbfb561b7a7112f8f3ec79e63cedb7f4d784

  • SSDEEP

    196608:QPW6IG7f1KCArQWGRhoDyp7t1OCf80nXIQPfMEftec7HsrEha1:w37d6T+97t1OCf80XIxQec7O

Score
10/10
quasarsvchost 2svchost 3discoverypyinstallerspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 2

C2

41.216.183.179:3742

Mutex

d018acac-011d-4ca3-b0c3-4fdd7ec2d6d1

Attributes
  • encryption_key

    0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7

  • install_name

    Host Process for Windows Tasks.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Host Process for Windows Tasks

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 3

C2

41.216.183.179:3742

Mutex

11b8b70b-ab15-4aab-8132-3e7b18b2b48b

Attributes
  • encryption_key

    0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7

  • install_name

    startui.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    startui

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 6 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in System32 directory 5 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe
    "C:\Users\Admin\AppData\Local\Temp\2b85704b2d63fe95970f2a35e9f48d9e4a72cd4cdfb6c8127f618bf043332f88.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\WormGPT.exe
      "C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\WormGPT.exe
        "C:\Users\Admin\AppData\Local\Temp\WormGPT.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2460
    • C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe
      "C:\Users\Admin\AppData\Local\Temp\comsurrogate.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2216
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1844
      • C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe
        "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:1548
    • C:\Users\Admin\AppData\Local\Temp\svc.exe
      "C:\Users\Admin\AppData\Local\Temp\svc.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2904
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "startui" /sc ONLOGON /tr "C:\Program Files\SubDir\startui.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1292
      • C:\Program Files\SubDir\startui.exe
        "C:\Program Files\SubDir\startui.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Windows\system32\schtasks.exe
          "schtasks" /create /tn "startui" /sc ONLOGON /tr "C:\Program Files\SubDir\startui.exe" /rl HIGHEST /f
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2308

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI27882\python310.dll
    Filesize

    4.3MB

    MD5

    deaf0c0cc3369363b800d2e8e756a402

    SHA1

    3085778735dd8badad4e39df688139f4eed5f954

    SHA256

    156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

    SHA512

    5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\svc.exe
    Filesize

    3.1MB

    MD5

    7776335b8b0d230370ca39602c484a69

    SHA1

    7705fb56ea438e609a6094bef10bdb2392f55719

    SHA256

    b6bb8a533c77034b0d4eab34ffa434b1a999cac5f59983680d222f04e437729d

    SHA512

    0e290749b442e317fe90591a43549a003d7f95c086d220b04eae018209a9785a1754b834d529a5839b15d2aa783edd17e52f4ab2b331e3a14c47d84ebf24899d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\WormGPT.exe
    Filesize

    8.6MB

    MD5

    1c2128b3ad0a5dc32f938362e16f6b07

    SHA1

    eecb906f664ff6a5fc4cded35c274cbcc342fec8

    SHA256

    2b093e0b16481ff4d090e4502c6ef4d547fb7003a6a07e43fc042a1550f9bb9c

    SHA512

    21758831af1d641c1f1aad7fb148b16c87ebf00ae5574a3f66542620931088c6ebedc61a92ccb2ffe2f1643792989541eae9180a0bdd672202df7ac455f4350e

    Download Submit

  • \Users\Admin\AppData\Local\Temp\comsurrogate.exe
    Filesize

    3.1MB

    MD5

    026407873fa1c229033246e574724e02

    SHA1

    888c874808635b0b03456da413b1941c61c33686

    SHA256

    4531e23ad4f6443dd3e0807007afd811ea1fc6a2a35f423e9ac98bcfc21be996

    SHA512

    660db81f331c9ff47440d41d2e5062d92ad1fe2b7cc5559ba120c4908b5cd9a253c4fb1da323a1f0f1e7a5ce50d04e9020aec286e3eb399cb3ebdf1b765acc7f

    Download Submit

  • memory/2216-71-0x000007FEF6503000-0x000007FEF6504000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2216-174-0x0000000001120000-0x0000000001444000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2548-979-0x0000000001200000-0x0000000001524000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2576-973-0x00000000010D0000-0x00000000013F4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2904-173-0x0000000000CB0000-0x0000000000FD4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2904-422-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2904-975-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

    Filesize

    9.9MB

    Download