Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
-
submitted
29-01-2025 23:30
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
e71e649f06ebafd749a0b2448309af4e
-
SHA1
7cc3b115e4ead3bab9e1a7b1af36b17ec22e8f34
-
SHA256
0af9feaba23a5dcce76834fe7d865659e08667a954b893bfa66cc00afa3a352c
-
SHA512
27f27d4b6884f775c648baf14fdcc044fdec20c1d75d20c1844b0a2288e60c30817be9bb5b2970be492a2b14548a389d24a2167f3ee99426d4f04950c1dfbd18
-
SSDEEP
49152:bvTlL26AaNeWgPhlmVqvMQ7XSKx/hk9h3vJvLoGdaTHHB72eh2NT:bvJL26AaNeWgPhlmVqkQ7XSKsht
Malware Config
Extracted
quasar
1.4.1
Office04
nbo:35221
records-spank.gl.at.ply.gg:35221
1bb40cd1-8716-4878-8e8d-d6351a4add76
-
encryption_key
3AC27EDE75E4BA2251906BB415CCDF387853F19C
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 1 IoCs
-
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 12 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 12 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lxwNcNw3VOtz.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SnGFpDrj77Sc.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650015⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost5⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"5⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BM1SOVKmcXQ1.bat" "6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"7⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ruyPeMbIyK8g.bat" "8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"9⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\De9hW9sTmY3y.bat" "10⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500111⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"11⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2mX7MYIbFDZI.bat" "12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500113⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost13⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"13⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gB1uW80Y0n5W.bat" "14⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500115⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost15⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"15⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\czcKVVc9D54e.bat" "16⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 6500117⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost17⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"17⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsEPu9wdGixN.bat" "18⤵
-
C:\Windows\system32\chcp.comchcp 6500119⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost19⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"19⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\coOEelOwuZ4C.bat" "20⤵
-
C:\Windows\system32\chcp.comchcp 6500121⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost21⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"21⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TIpIsjAhO4MU.bat" "22⤵
-
C:\Windows\system32\chcp.comchcp 6500123⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost23⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"23⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hvX54UEY6qiF.bat" "24⤵
-
C:\Windows\system32\chcp.comchcp 6500125⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost25⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57787ce173dfface746f5a9cf5477883d
SHA14587d870e914785b3a8fb017fec0c0f1c7ec0004
SHA256c339149818fa8f9e5af4627715c3afe4f42bc1267df17d77a278d4c811ed8df1
SHA5123a630053ae99114292f8cf8d45600f8fe72125795252bf76677663476bd2275be084a1af2fcb4ce30409ba1b5829b2b3ffb6795de46d2a703c3314017a86f1ff
-
Filesize
209B
MD5ef3d5354ea777366f36e5ac723bad28e
SHA10f49a0766b402b17c255b8a05e3ce36c6fb07ffb
SHA256c167b029b74efabe805e226f4f56768a0341bcf173a2dc1b6a9bf9b32baf1503
SHA512877363a7354644431297128732174010492064e23b3b4a4380ed63c888cbd9ae0745b6058f0cf113f8b5b1c930d7d88f6cb50e3a74c8d6531eb9b0b051245ce6
-
Filesize
209B
MD5c0f99a50d70748e7fa13742fbf5df5de
SHA1b826ec3d7f1c775e41214f0aac47ccb900c93659
SHA256d1c5514acc10811e87072e04f355c495ffa19c872f4997409980b25b649164e1
SHA512a80891c81907cc2943d12ae9dec49000810051dd633958e20704383501d8bd1f8ecf699a6c16621767f12c3e88f08b17c9a23e003a99143630490300831fc28e
-
Filesize
209B
MD58bc5d127cc7a27729bff6bdd7784a90f
SHA1e5b0b64835712f7b21a261a8a6ac23d8b9c9f902
SHA25698e11cfa7046f75265474cd9ccf6fbdba9a0cebcfa76c0203055ac043f04e89d
SHA5121dce778f4ffd39000003d961a098486cdec4ac7343cbc0060a66c3149c2ef36cbe98fad13f5124dc61f909ad19fd3a061524fc67835416df510013586263db67
-
Filesize
209B
MD50ba3146bda426145489d48b0b3eafcd6
SHA110815f0f05a09a3b97fd12c18edec809d0e03672
SHA2563b88c3063ea177249800cd275e4b8837fc5f3c65407667784e03816433db1e89
SHA5127dba9427dd4d162426920584455f41499aede5dd909f25c7944bfcd3377a39f9583e5c04097133b58438a79d3183e1bd8f2e978621ec849ae7cb0ad2bd2fa06f
-
Filesize
209B
MD5e91f68bb498b5af09aa0e5298691776c
SHA141673580ce46eac9816db2dfd904eb0536dedc20
SHA256d520b0a064843187d4ee606b577fd7c6aa75de892bb0cbaf87ae635208dc6ad1
SHA5120b18ecc64969ab853dabbd6e6e61252c2110753d585a78ba659988f6f5e2e72654882e62862ab161140c87e18e551c2abf57a3eec962396f48e25c416041a7ac
-
Filesize
209B
MD5d49d828f762e5d0a214eb1b000b18cc2
SHA1c8c31cd84fdb7b43b327aacc8aa72e4f795db6a7
SHA2564a15abf1869b7b1f3d14481ac9c215285d93ec2fef3e55f509dbef1958a74783
SHA512d42d3a3042402a3f5fa0a38844d7fcd596fb36e922c85f46e514f367949bd88853cebd9db11f3c1d2a3cb70c003e95b113ffb79b6a2e9ac25838e8786e0f021e
-
Filesize
209B
MD504ebdcbda6ae07cc6bfd13b3d429bb48
SHA1caf6abc7c8ba58ab0c72da7ba4979c958d08ed5a
SHA256a53d65b5b78f9f760e3f2bfa488449171a0b6852846020d60fa2c9aa8d010392
SHA51201b3d2fce03c35fa8d51e35728a5be88764fbe4b329c5a8e824c4db02d8b05c9071aa4df54e30ef36dcff4615b5fef292bcf35e05b5503fa42f01877e406d23f
-
Filesize
209B
MD5c562cbd443301e28de0e877fcdf743e1
SHA17b5df239d8ec73c2a90d74ffb7ec32140afa55ab
SHA25675cc0ab6e305c4049e0e5f8b1ff7efd105c8ef1f27335c8680c2444dc7f0cc27
SHA5127f29abcc7a95130cb55c9ed5be586cce2aa832867f47f1c9ccfbceb474b94998d918546d55dfa3a1e683eaf1d26c66a49f4038cca54860fc05700f1760815abe
-
Filesize
209B
MD5ddaf20bbfc0b159af52576c81655a445
SHA19ca17b0a7b78c1497c52cae21e051ff1b1284eb7
SHA2567e94d5784ee25de944cdbd0ff73c744fa7bee78e0494d223f29ed81d02142a1b
SHA5126fcca370667021814e004b44e8789381f489a266fb3fc38dc761e81dfddbfa43d179d7eba5e20f66ceff222c045435d50000a891692d14138a084cd75173eca5
-
Filesize
209B
MD540d04d3b63709064fc92044b180e7cef
SHA13b1d4c67ff83ef07c66a6922d0fd9d6e707b8703
SHA256268d143edc75b465b22c6b432f7a87aac74c00890bee827bd06eb030e1482e90
SHA5124c715d64f557749b3a50178fadb2d4d86227f3fa1a67ab15780079dfcb0327e282ad3fbf6eef20e08f22f5021dd55f2d7c95881782d3c686a49cf6fac57e0162
-
Filesize
209B
MD5ba14fc0bf35d666941087fafe171c3e8
SHA1941d043cf8239bda63665ac450028ceb57023a29
SHA256ac4eece337f5fc79dd3c9020226c67e090a611bdc84ea79ff50fb9b4e0c5715d
SHA512cb11571917b3fd416d62b4797793bbe0f563980feb21dc379f086f249c8c68718e849a7a621d02bf9b0e3afcf9f6fdd5152d6c307a7db574fe59aabcca4b8768
-
Filesize
209B
MD51c97c0295ab7564aedfef820decd2851
SHA12ec9f271fdd63d99cff0ff7414195d08aa63740f
SHA256832725b8e7452390ddbc679edbeae5181830e4fc46cd810fc7b37db005a46b45
SHA512a71e41b0495b7077b5ec4b60d03f68938e8bf523c7d14f7ad0316afe086148a2ab1e4dd703a383629d9c06e3710d95a39f56c18f0e30fa39b9bbff4ce7e9abe3
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
3.1MB