Analysis
-
max time kernel
889s -
max time network
899s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
06-02-2025 17:17
General
-
Target
Bootstrapper_v2.19 (3).exe
-
Size
3.1MB
-
MD5
ef984ec5aacb3939bbe64180c7e1f84c
-
SHA1
25eb03b44465cd9b44da6d422df703bb41abd0e1
-
SHA256
9a67ba0b0977ff291dc341c37a862d73242d005d5ac38ad1e7583f2d30273d41
-
SHA512
d338d4ddb9073e2aebbf29a20ae83c02e979e4284d85dc905506dd098d36aa94f39483895f3e96619d33aad2dd34f537acf42eb6ba00756441d699eefff956d6
-
SSDEEP
49152:3vSI22SsaNYfdPBldt698dBcjHbqRJ65bR3LoGdLTHHB72eh2NT:3v/22SsaNYfdPBldt6+dBcjHbqRJ67
Malware Config
Extracted
quasar
1.4.1
Office04
26.20.187.152:4782
035609b7-5296-42b1-ba51-47722e1900ad
-
encryption_key
EF9AF063C4E9C62FBBA2D6F12350A5C2F573D811
-
install_name
Bootstrapper_v2.19.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Microsoft
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper_v2.19 (3).exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper_v2.19 (3).exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Bootstrapper_v2.19.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Bootstrapper_v2.19.exe"C:\Users\Admin\AppData\Roaming\SubDir\Bootstrapper_v2.19.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Microsoft" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Bootstrapper_v2.19.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5ef984ec5aacb3939bbe64180c7e1f84c
SHA125eb03b44465cd9b44da6d422df703bb41abd0e1
SHA2569a67ba0b0977ff291dc341c37a862d73242d005d5ac38ad1e7583f2d30273d41
SHA512d338d4ddb9073e2aebbf29a20ae83c02e979e4284d85dc905506dd098d36aa94f39483895f3e96619d33aad2dd34f537acf42eb6ba00756441d699eefff956d6
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB