Analysis

  • max time kernel
    125s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/02/2025, 03:35 UTC

General

  • Target

    0x0008000000015fc4-8.exe

  • Size

    3.1MB

  • MD5

    026407873fa1c229033246e574724e02

  • SHA1

    888c874808635b0b03456da413b1941c61c33686

  • SHA256

    4531e23ad4f6443dd3e0807007afd811ea1fc6a2a35f423e9ac98bcfc21be996

  • SHA512

    660db81f331c9ff47440d41d2e5062d92ad1fe2b7cc5559ba120c4908b5cd9a253c4fb1da323a1f0f1e7a5ce50d04e9020aec286e3eb399cb3ebdf1b765acc7f

  • SSDEEP

    49152:vvChBYjCO4Dt2d5aKCuVPzlEmVQL0wvwkaw2RJ6sbR3LoGdOiTHHB72eh2NT:vv8t2d5aKCuVPzlEmVQ0wvwfw2RJ62

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

svchost 2

C2

41.216.183.179:3742

Mutex

d018acac-011d-4ca3-b0c3-4fdd7ec2d6d1

Attributes
  • encryption_key

    0325CE0E85B5B8870BB69FE8C81088DBCBFAC6F7

  • install_name

    Host Process for Windows Tasks.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Host Process for Windows Tasks

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 5 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\0x0008000000015fc4-8.exe
    "C:\Users\Admin\AppData\Local\Temp\0x0008000000015fc4-8.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2912
    • C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe
      "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Host Process for Windows Tasks" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Host Process for Windows Tasks.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3408

Network

  • flag-us
    DNS
    130.159.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    130.159.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.58.199.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.58.199.20.in-addr.arpa
    IN PTR
    Response
  • flag-gb
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    95.101.143.219:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Mon, 03 Feb 2025 03:35:12 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.d78f655f.1738553712.10a43d3
  • flag-us
    DNS
    219.143.101.95.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    219.143.101.95.in-addr.arpa
    IN PTR
    Response
    219.143.101.95.in-addr.arpa
    IN PTR
    a95-101-143-219deploystaticakamaitechnologiescom
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    13.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.153.16.2.in-addr.arpa
    IN PTR
    Response
    13.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-13deploystaticakamaitechnologiescom
  • 41.216.183.179:3742
    Host Process for Windows Tasks.exe
    260 B
    5
  • 95.101.143.219:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
    6.4kB
    17
    14

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 41.216.183.179:3742
    Host Process for Windows Tasks.exe
    260 B
    5
  • 41.216.183.179:3742
    Host Process for Windows Tasks.exe
    260 B
    5
  • 41.216.183.179:3742
    Host Process for Windows Tasks.exe
    260 B
    5
  • 41.216.183.179:3742
    Host Process for Windows Tasks.exe
    260 B
    5
  • 41.216.183.179:3742
    Host Process for Windows Tasks.exe
    260 B
    5
  • 8.8.8.8:53
    130.159.190.20.in-addr.arpa
    dns
    73 B
    159 B
    1
    1

    DNS Request

    130.159.190.20.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    43.58.199.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    43.58.199.20.in-addr.arpa

  • 8.8.8.8:53
    219.143.101.95.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    219.143.101.95.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    13.153.16.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    13.153.16.2.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\SubDir\Host Process for Windows Tasks.exe

    Filesize

    3.1MB

    MD5

    026407873fa1c229033246e574724e02

    SHA1

    888c874808635b0b03456da413b1941c61c33686

    SHA256

    4531e23ad4f6443dd3e0807007afd811ea1fc6a2a35f423e9ac98bcfc21be996

    SHA512

    660db81f331c9ff47440d41d2e5062d92ad1fe2b7cc5559ba120c4908b5cd9a253c4fb1da323a1f0f1e7a5ce50d04e9020aec286e3eb399cb3ebdf1b765acc7f

  • memory/404-0-0x00007FF8AE1D3000-0x00007FF8AE1D5000-memory.dmp

    Filesize

    8KB

  • memory/404-1-0x0000000000FD0000-0x00000000012F4000-memory.dmp

    Filesize

    3.1MB

  • memory/404-2-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/404-9-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/3928-10-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/3928-11-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

  • memory/3928-12-0x000000001B4F0000-0x000000001B540000-memory.dmp

    Filesize

    320KB

  • memory/3928-13-0x000000001BC30000-0x000000001BCE2000-memory.dmp

    Filesize

    712KB

  • memory/3928-14-0x00007FF8AE1D0000-0x00007FF8AEC91000-memory.dmp

    Filesize

    10.8MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.