Overview

overview

10

Static

static

10

Client-built.exe

windows10-ltsc 2021-x64

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20-01-2025 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    288KB

  • MD5

    3dbf24c6a4987b936ba4b9b8b7fefe06

  • SHA1

    4fa176f14c237c461b66ec19aa24fd4ea47fa1f8

  • SHA256

    5a07439ecad1b2bc0fa2fe6b42c85a9fbfd81172b8d2a0b934c92e664ad9abb1

  • SHA512

    9ab6f4d77711a6f2cb9e600642313319aa76cdf055be3f485b8121d44c762f5c3cfbc573f63cedbdf4b96fab64e53dfcd9309856327ba37bf5471c7126503d17

  • SSDEEP

    6144:bRSjIXAnZQel5w7T4P5Kq+SMv0VGb7bDcllbk0q:g4AZrg7g9zVGkllbkB

Score
10/10
quasaroffice04discoverypersistencespywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.0.0

Botnet

Office04

C2

airport-forums.gl.at.ply.gg:20417

Mutex

CjFw2DwFEbLLnL7ypo

Attributes
  • encryption_key

    uEA5Kpp3BoIvHdDLxJnW

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\fortnite.exe
      "C:\fortnite.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:3736
  • C:\Windows\explorer.exe
    explorer.exe
    1⤵
      PID:956

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\fortnite.exe
      Filesize

      319KB

      MD5

      c7b905a6f6ff947469f6a4605c2f9287

      SHA1

      677cd5dc396f5f9cd588ea2527557cd0d0c8b026

      SHA256

      439831c26088574ca4b8ecf637ba8dcf7c683f190256e08edd57e7e5cb3f54bb

      SHA512

      d9c798ddc692f559a548871638cf015d73f2dce683d949507f7a6531a950d5d624676fb9742111d948afb7442144fffa87fdd1e1e224476bac20acfb93b5b68c

      Download Submit

    • C:\fortnite.exe
      Filesize

      436KB

      MD5

      22ba54cbf5c8a41d64acc90f467c1fb5

      SHA1

      5f61b932b5e151a4a460ada8e5ae8b268093a98f

      SHA256

      c02c44870579dcd8208b140dd85066bd7a468934d49b227aa24e6e62b951c35d

      SHA512

      cc62b9edaff1fc771e721acef84e854d93b5210f2148fa62dc4a0e3f3c8548e0686a8c250aad4292f380fdf4c50d746ef1309f3b9995518faa3d0fc207102295

      Download Submit

    • memory/2516-4-0x0000000074E80000-0x0000000075631000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2516-2-0x0000000005D70000-0x0000000006316000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2516-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2516-5-0x0000000005860000-0x00000000058C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2516-6-0x0000000005CD0000-0x0000000005CE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2516-7-0x00000000069B0000-0x00000000069EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2516-8-0x0000000006CB0000-0x0000000006CBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2516-9-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2516-10-0x0000000074E80000-0x0000000075631000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2516-3-0x00000000057C0000-0x0000000005852000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2516-1-0x0000000000D90000-0x0000000000DDE000-memory.dmp

      Filesize

      312KB

      Download

    • memory/2516-25-0x0000000074E80000-0x0000000075631000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2516-27-0x0000000074E80000-0x0000000075631000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-26-0x00000000006F0000-0x00000000006F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3736-29-0x00000000006F0000-0x00000000006F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3736-28-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download

    • memory/3736-31-0x0000000000400000-0x0000000000474000-memory.dmp

      Filesize

      464KB

      Download