Analysis
-
max time kernel
125s -
max time network
142s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
07-02-2025 00:20
General
-
Target
TestFile.exe
-
Size
3.2MB
-
MD5
cfa0c860a76a2cb8e15dcfe774097dc8
-
SHA1
4aeb7456b619f539e6f50cc8795d4e9307ff5317
-
SHA256
1ca88e53459076619192ce06bd6532599c399836e969df16d5724fb2af9652d7
-
SHA512
aebc2f8127c87b4a4f8ad57a3689bc5720db499fecadd751b3f683d3b7ccf68cb4dd2280fc09df835963e4aedb2ed512ca89f35cd2a48ce355595691a5c14aa1
-
SSDEEP
49152:YvAt62XlaSFNWPjljiFa2RoUYIiyfRlBx1ToGd3STHHB72eh2NT:Yvs62XlaSFNWPjljiFXRoUYIHR/H
Malware Config
Extracted
quasar
1.4.1
Office04
12.75.114.52:4782
d942a9a5-3785-41ac-a7db-12e8f1fb6c3d
-
encryption_key
E662E8B331BDD6D3B27E1C68FDDE49A9178AEBE8
-
install_name
A.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\TestFile.exe"C:\Users\Admin\AppData\Local\Temp\TestFile.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Client Startup" /sc ONLOGON /tr "C:\Program Files\SubDir\A.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\SubDir\A.exe"C:\Program Files\SubDir\A.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Client Startup" /sc ONLOGON /tr "C:\Program Files\SubDir\A.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD5cfa0c860a76a2cb8e15dcfe774097dc8
SHA14aeb7456b619f539e6f50cc8795d4e9307ff5317
SHA2561ca88e53459076619192ce06bd6532599c399836e969df16d5724fb2af9652d7
SHA512aebc2f8127c87b4a4f8ad57a3689bc5720db499fecadd751b3f683d3b7ccf68cb4dd2280fc09df835963e4aedb2ed512ca89f35cd2a48ce355595691a5c14aa1
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
5.2MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB