Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-02-2025 17:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    215a9fa05bcc5e8058ba6059df5a31bd

  • SHA1

    9687de7a8d9a54a5d3bcf3df961b4b54295652fc

  • SHA256

    8dfad053c59f61f99b65b3e48e81d29b392c1e7bd24dbd4a4799b8fa25111a46

  • SHA512

    19b7446dc6125e2f1b7e036b40bc0ac5a144340a8f9226a03782f5a15706a309c378092e023ddf4574fad9a20cd30e6d3eb44395b1a1f4fb05392b82cb88b616

  • SSDEEP

    49152:rvmI22SsaNYfdPBldt698dBcjHJqX0NmZ5LoGyi8XTHHB72eh2NT:rvr22SsaNYfdPBldt6+dBcjH4X0e

Score
10/10
quasaroffice04discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

dragonbornwashere-43022.portmap.host:43022

Mutex

d3a4bd6a-eb48-45c2-af96-7600c691081f

Attributes
  • encryption_key

    874DAD54C1F8000E0795D3F80C381F8EF9ABF5D4

  • install_name

    Warp.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    WindowsHealth

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 28 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "WindowsHealth" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Warp.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1188
    • C:\Users\Admin\AppData\Roaming\SubDir\Warp.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Warp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "WindowsHealth" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Warp.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4560
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /K CHCP 437
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:124
        • C:\Windows\system32\chcp.com
          CHCP 437
          4⤵
            PID:740
          • C:\Windows\system32\ipconfig.exe
            ipconfig
            4⤵
            • Gathers network information
            PID:5108
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:244
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffdd893cb8,0x7fffdd893cc8,0x7fffdd893cd8
            4⤵
              PID:132
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1828 /prefetch:2
              4⤵
                PID:2008
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4344
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
                4⤵
                  PID:4484
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
                  4⤵
                    PID:3872
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
                    4⤵
                      PID:2680
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
                      4⤵
                        PID:4180
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,14324834130289387928,5519266437631321541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
                        4⤵
                          PID:2964
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:1100
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:2480

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        152B

                        MD5

                        cb557349d7af9d6754aed39b4ace5bee

                        SHA1

                        04de2ac30defbb36508a41872ddb475effe2d793

                        SHA256

                        cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

                        SHA512

                        f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                        Filesize

                        152B

                        MD5

                        aad1d98ca9748cc4c31aa3b5abfe0fed

                        SHA1

                        32e8d4d9447b13bc00ec3eb15a88c55c29489495

                        SHA256

                        2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

                        SHA512

                        150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                        Filesize

                        816B

                        MD5

                        876e9dbb2b3f869acfcf53135e6320e4

                        SHA1

                        889bb510d7150747e65cedc8b8410a62585406b5

                        SHA256

                        cce887f7eed329541b42e50116905561d121d1de3703dd6b7feebf22d110b0b1

                        SHA512

                        e068ae7024acf280076f8cc33a0fa8cc2e0df3b6465b7c1887ffcb500ebfa96a257e237ad9385446830a73cb0f0aa1c80ee4b2b296361531800d50a25b6b74b0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                        Filesize

                        1KB

                        MD5

                        b237a6a970b5d58d6a5315ec0322b3c3

                        SHA1

                        5c7ac859760b4dba507eae2a0462faa488ef54ad

                        SHA256

                        10158b6aac3516baca4eb070bc767a594dcc7d3efd2b184083a7747dc18e004d

                        SHA512

                        f4445c65bce9c9c27aeca7c06dab0ff4a3088ffe764ac6f24bd742b01b94f7491740d3cd1433c45e5a6b7dd95c3fe1dbbba4d40f7d0026682f6e0cc1ed87dfc9

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                        Filesize

                        6KB

                        MD5

                        872ff36445d5e9dc7e60c790c1c78c3b

                        SHA1

                        9d79e2863db7434b018eb43d300ad6e398714423

                        SHA256

                        22c0bdc989caf3b6c2b8e1c07b6b05ebfeee50533fdf36edc818e82ccfd83ff9

                        SHA512

                        bcf5688c4946f35116f89f9ef053150218a949fe8976cfebfb90d7e32eeb1ea60a12fec9a25507e8c23246a464cbe570a6db571fe34c723cba17ed5ba5ca5eea

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                        Filesize

                        5KB

                        MD5

                        fc0c7eeab7a0a7a9e92d51a5e3b8d19f

                        SHA1

                        4db85c59e748060d8f3242d2aa99a3eeb21954fe

                        SHA256

                        eabe98d627fc79c0082b574fb6a7c86753cf52c081d742493bdafa75bd79a15d

                        SHA512

                        edb158bbb473d3588fb2bb81225c028735454cfabe96d54917049da9ef4de8a79ce4b1bce06a66e17eb9406af7e03f0e512df6898cf08779724d038e03625b8e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
                        Filesize

                        96B

                        MD5

                        e82f14a8962bc11fc6b401d8080a6ef3

                        SHA1

                        828c9034a3c4ea866345e823a3cf8d64a12149c5

                        SHA256

                        a6eee3381bb97e9da96644377444aa865fa1ad358412cde4c6e242c68186685f

                        SHA512

                        3a7b97d27a14e71f7d6788c74cbcac831fdfc22d7720d0a93f3c6a626ad76ae3b72ba6a80b4ab614ff50df911e31ffdca3360ae2060dee7dc3e53442700007d0

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5944b0.TMP
                        Filesize

                        48B

                        MD5

                        3383f6aee77b1e30347061dea4922d9e

                        SHA1

                        a972759fed652f24ecaf2a316fe34f6a1092a94d

                        SHA256

                        c8701830998b6115dbf3fcde427de23410d198cb1e83461c0d1c21296d454941

                        SHA512

                        b7c9d9ddd3d7696b0bc9f38f4eef8cbe710eb727b3a895b8402253e00e899c162c7cd3d1966be6f13c245b3ac91af03d33d45f349dc2aac1885e5b763a7b6390

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                        Filesize

                        10KB

                        MD5

                        22d76fa9e6310470eea47c91f772f24f

                        SHA1

                        6195c9ea0e3e6d1412ffeb4406c3d12a29fd0395

                        SHA256

                        55cb7d128fd449099f5f8d051b37245353fe08606b9cd38723f570574e891f7c

                        SHA512

                        8805e52324f1802dff7ef898ac4e9598c8fd38cd20b99cd9c132868064dc4dd10de648fdd8a4652482a3a7514030a57a580e99f85e6d5e0b1dd83662850e9ec0

                        Download Submit

                      • C:\Users\Admin\AppData\Roaming\SubDir\Warp.exe
                        Filesize

                        3.1MB

                        MD5

                        215a9fa05bcc5e8058ba6059df5a31bd

                        SHA1

                        9687de7a8d9a54a5d3bcf3df961b4b54295652fc

                        SHA256

                        8dfad053c59f61f99b65b3e48e81d29b392c1e7bd24dbd4a4799b8fa25111a46

                        SHA512

                        19b7446dc6125e2f1b7e036b40bc0ac5a144340a8f9226a03782f5a15706a309c378092e023ddf4574fad9a20cd30e6d3eb44395b1a1f4fb05392b82cb88b616

                        Download Submit

                      • memory/868-0-0x00007FFFCDB53000-0x00007FFFCDB55000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/868-10-0x00007FFFCDB50000-0x00007FFFCE612000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/868-2-0x00007FFFCDB50000-0x00007FFFCE612000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/868-1-0x0000000000670000-0x0000000000994000-memory.dmp

                        Filesize

                        3.1MB

                        Download

                      • memory/2532-11-0x00007FFFCDB50000-0x00007FFFCE612000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2532-20-0x00007FFFCDB50000-0x00007FFFCE612000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2532-19-0x00007FFFCDB50000-0x00007FFFCE612000-memory.dmp

                        Filesize

                        10.8MB

                        Download

                      • memory/2532-18-0x000000001D7C0000-0x000000001D7FC000-memory.dmp

                        Filesize

                        240KB

                        Download

                      • memory/2532-17-0x000000001D020000-0x000000001D032000-memory.dmp

                        Filesize

                        72KB

                        Download

                      • memory/2532-14-0x000000001D960000-0x000000001DE88000-memory.dmp

                        Filesize

                        5.2MB

                        Download

                      • memory/2532-13-0x000000001D070000-0x000000001D122000-memory.dmp

                        Filesize

                        712KB

                        Download

                      • memory/2532-12-0x000000001CF60000-0x000000001CFB0000-memory.dmp

                        Filesize

                        320KB

                        Download

                      • memory/2532-9-0x00007FFFCDB50000-0x00007FFFCE612000-memory.dmp

                        Filesize

                        10.8MB

                        Download