Analysis
-
max time kernel
598s -
max time network
430s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
26-01-2025 06:47
General
-
Target
eclipse executor.exe
-
Size
3.1MB
-
MD5
9d918d732629fc36b8230dc336f1f8af
-
SHA1
50297e276fde5a6f9ccd115de12dbba9d3893e92
-
SHA256
981f2a7171d95727552a99245694f1283bc1188ec09d3946fb075c3fe1b0a2ce
-
SHA512
4898b309c1df3f79e2d026be2e19406d384b88d6b526957c253087007d01a23b3f40f1c375f1be5eee5f05121d361e82fe4c66845bc02b9aa6727cf820259b05
-
SSDEEP
49152:SvvI22SsaNYfdPBldt698dBcjH2j5VbR4jLoGdMITHHB72eh2NT:Svg22SsaNYfdPBldt6+dBcjH2j5Mv
Malware Config
Extracted
quasar
1.4.1
made
2001:569:7e70:6a00:c8f3:749c:278f:2c17:4782
9d96368e-1352-46e3-8281-8f5eaf945edb
-
encryption_key
AF603C3CFA231D1BD841E315C27377C7E4A49333
-
install_name
client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eclipse executor.exe"C:\Users\Admin\AppData\Local\Temp\eclipse executor.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\client.exe"C:\Users\Admin\AppData\Roaming\SubDir\client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59d918d732629fc36b8230dc336f1f8af
SHA150297e276fde5a6f9ccd115de12dbba9d3893e92
SHA256981f2a7171d95727552a99245694f1283bc1188ec09d3946fb075c3fe1b0a2ce
SHA5124898b309c1df3f79e2d026be2e19406d384b88d6b526957c253087007d01a23b3f40f1c375f1be5eee5f05121d361e82fe4c66845bc02b9aa6727cf820259b05
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
10.8MB