Overview

overview

10

Static

static

1

6Pax trip ...sx.exe

windows7-x64

10

6Pax trip ...sx.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    127s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04-02-2025 08:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6Pax trip details.xlsx.exe

  • Size

    566KB

  • MD5

    cb2d2a48d646ebb9c773171d92b5bc41

  • SHA1

    5e075d1420f4a631175ae31ef5261e4a87026c66

  • SHA256

    4f795fed198da9f27a68dd60cb478ef768764da2f9d141e94c5f2624c85d4b13

  • SHA512

    fe7f0741d71ee678a1b71a9cd33afe42cbfcd5741209b5bf838e7ae17ba2e13f161ea7a55b4eb2f08c7f749409d4dda32a2e040a725e13c7ae5b5c8526a9fcb9

  • SSDEEP

    6144:csLsuwSdHTYloqvGyHJxnDrkbpvSU+fLN/+1n48qkEBmjbu60LROa+En4:XUszYloqvGdlaNLs4Ru3u60RO

Score
10/10
quasaracs hopediscoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

ACS hope

C2

crazydns.linkpc.net:26133

Mutex

QSR_MUTEX_6iGAmxpR39hpOQEFqk

Attributes
  • encryption_key

    qiJ37BhO6EEtAoSo8ukb

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6Pax trip details.xlsx.exe
    "C:\Users\Admin\AppData\Local\Temp\6Pax trip details.xlsx.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2136
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2136-0-0x000007FEF5F93000-0x000007FEF5F94000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2136-1-0x00000000011F0000-0x000000000127E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2136-2-0x0000000000540000-0x0000000000550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2136-3-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2136-15-0x000007FEF5F90000-0x000007FEF697C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2892-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-13-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-11-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-9-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-7-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-6-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-4-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-14-0x000000007463E000-0x000000007463F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-5-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2892-16-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2892-18-0x000000007463E000-0x000000007463F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2892-19-0x0000000074630000-0x0000000074D1E000-memory.dmp

    Filesize

    6.9MB

    Download