Overview

overview

10

Static

static

10

CHEAT.rar

windows7-x64

10

CHEAT.rar

windows10-2004-x64

3

Analysis

  • max time kernel
    105s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    09-02-2025 03:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CHEAT.rar

  • Size

    36.3MB

  • MD5

    203ba38accab7ff9b181c88176d7e17f

  • SHA1

    33bd9fc89e77faed86bda399d018f9413f6eba73

  • SHA256

    eab5f974ec202f9576335f50646b1a7e6725557b1227b8f96ecc889c15498905

  • SHA512

    2cc04354147ef18f22c753303f4417744d349d41a1eb6ea28ef8ffad3831aa3e6317b698c24b3c1dc0ef60ed4e38564d21be4afc9a485ea22ec75dbe739f76a7

  • SSDEEP

    786432:cQ1zPwv64YV/iSmT3kJtj88ZEP87mD+cmodF2fppwcPX/fzi82lb7O:hLB4YMhT0JtiKmiodiHvPWJlb7O

Score
10/10
quasaroffice04defense_evasionexecutionpersistencespywarethemidatrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

10.0.1.100:4782

Mutex

ed337c2a-f410-44a6-a75b-740207b7d8db

Attributes
  • encryption_key

    6D00964D3D31D45131A3ECADA49AED6AAB6AAED0

  • install_name

    CHEAT.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    defense_evasion
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 25 IoCs
  • Themida packer 26 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    defense_evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CHEAT.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2096
  • C:\Users\Admin\Desktop\balls\#524#@7asRFj438!!.exe
    "C:\Users\Admin\Desktop\balls\#524#@7asRFj438!!.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:816
    • C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\CHEAT.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2844
  • C:\Users\Admin\Desktop\balls\#524#@7asRFj438!!.exe
    "C:\Users\Admin\Desktop\balls\#524#@7asRFj438!!.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1344
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x2e4
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:1660
  • C:\Users\Admin\Desktop\balls\HVCI\Steam.exe
    "C:\Users\Admin\Desktop\balls\HVCI\Steam.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Windows\system32\sc.exe
      "sc.exe" create InkLa1n binPath="C:\Windows\security\InkLa1n.sys" type=kernel
      2⤵
      • Launches sc.exe
      PID:1840
    • C:\Windows\system32\sc.exe
      "sc.exe" start InkLa1n
      2⤵
      • Launches sc.exe
      PID:760
  • C:\Users\Admin\Desktop\balls\HVCI\MbixMY.exe
    "C:\Users\Admin\Desktop\balls\HVCI\MbixMY.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1116
    • C:\Users\Admin\Desktop\balls\HVCI\kEFZ2K.exe
      "kEFZ2K.exe" -R
      2⤵
      • Executes dropped EXE
      PID:976
    • C:\Windows\system32\cmd.exe
      "cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\balls\HVCI\MbixMY.exe"
      2⤵
        PID:1680
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 3
          3⤵
            PID:600

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\Desktop\balls\#524#@7asRFj438!!.exe
        Filesize

        3.1MB

        MD5

        09ffcbccc1a4884f357781111b762d2e

        SHA1

        386be8f85e983815580d9a83f635dd1a802886db

        SHA256

        38a42d31c6741ceeceedaf2ba07e753863a81bcfed604df7df03fcb975980c82

        SHA512

        d0f656806c760c0352699ff43125876a4f264da1675400d81ea085bec9341a5cdf9834c6d5eeef0b7df417a0a86acbaebbc9babd5848096612d15a57f4a668f4

        Download Submit

      • C:\Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        11.7MB

        MD5

        fd296c175f03c23810e77776a04cb13c

        SHA1

        ed7748b428cb8598a4018e885702eca594e79aab

        SHA256

        55b9a87e164b2468d3f11b0b091ca582ae4f504d092bd461bdfaea2344d43b2e

        SHA512

        df3b9b2d92b4c86d71241cc99264b41357ef067a3f0438ba91aec2e7932e28d8530b8c04ef02b2e9349c72d685b69ec4ba132509cf3f3f1da461a28d7bbb468c

        Download Submit

      • C:\Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        6.2MB

        MD5

        888504032b03670e3fe0a87b98cd1194

        SHA1

        8abb3c0a4a9341991fa4713eec5f8d379bb57b71

        SHA256

        ddef4d2ee24dfa007f2f0a4ded670ca1a9602365a4864fe77d9cac1f2dc95b43

        SHA512

        a7528e8a803ecb8e1e0f54cb1a2992da9bb83b950a478ab168a8a3379d616ca14347cb09e190fe6b00677ad34a8228b73b7353b0b8ab254899000ec9540a2093

        Download Submit

      • C:\Users\Admin\Desktop\balls\HVCI\kEFZ2K.exe
        Filesize

        1.7MB

        MD5

        167b3c8535cec99b4c0f3502d17880c5

        SHA1

        7fd02a8265d2efec266e91167a8b5989ff529529

        SHA256

        0e2404fc99d1fd40c552b26294ea4b2e49f4f6050f0bbf63d302e18274ef29ee

        SHA512

        048fe996eba0ea965f2cc5ed1a3186cfa9569a5c273f70b08f09d691fac90c927857417f25fa68804ab14a7f49cae7bf5d2c07e65eeb3de52fba25a204bf5f89

        Download Submit

      • C:\Users\Admin\Desktop\balls\HVCI\kEFZ2K.exe
        Filesize

        887KB

        MD5

        d907aeffae5108145743f9fa36c2d314

        SHA1

        6a7d1924b3f3f4c2f336fb51449b8be9d67cb1df

        SHA256

        f7db17faf0ddaba3c4c21d7c184491e25879e32d2e80661922553a43e4bd41b7

        SHA512

        b4ff342651d85ab6d46650c707fa8ef93ad1e6df7a5b5db384334b00c6e0e6ff57c220b5b0a3e9a82d2969d6622ca439cf0864ba367d6e4fd6cb1664b0fd399d

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        19.7MB

        MD5

        09e04205ee2e4b53e2bbaa249baf2598

        SHA1

        05da5d90f8bbca7fc3999da1bd9e2b0e11de0197

        SHA256

        60afe971d2f46a4ccf942b83c666a2f8a88927fea173fa99f227348f65cadcb0

        SHA512

        d5393035d8507cf51168873970ae76da51113f411bb3b1998ff73307d5ed4ea979fe4d61fd88db12d81c47ce815987f239762cc683b10dd749201c0c8c7ba2b5

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        6.3MB

        MD5

        c18852a89c1e62898d008efacbf4fd92

        SHA1

        35d3cbc031e84927cf630f8365bb5d3a31e3704d

        SHA256

        a95204c5e8511bdbd239c44a1cbd156134e57b4d88062458063df600a346d3bd

        SHA512

        af60b8f05a6e101a0b29f7f09f77db241e29ad5ae37d77479dd8ec8f2f43f37f06c8cea56a9ec33773d608bcd2ecc59cd2975f22583050d6d1f4b2920f8cc1b1

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        6.9MB

        MD5

        7b65995c24893b4046118dd269dc9926

        SHA1

        57b66289cf60d50bb5b35b6705abf41fdc546662

        SHA256

        0a6907ced1aa0846c0978d55e9dc0b37faedd235d2a970748d0fb1d40eea7f99

        SHA512

        dde17b81619879b37129643aba2feca4b400a4e2cc703e2f8688f478d516ae62908336132fcad973198f4da312ad0e9aae0c21d9fb13f8937c35e5055e683798

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        6.9MB

        MD5

        4fc851a8adf22062ff2f3ab1ee0a7916

        SHA1

        97639e3d741c86ae887f4becf7c8761fc5d2b10a

        SHA256

        2a885fb0f0350871446f93b7cc3b57c590baf2dd7e9b72c4f6cf0ce9e81e1ee2

        SHA512

        7b9d75425aeae2d3fb3c4ad3c48898c3384690693038efa5f1981f0168a495cde4f1ba13ce2531c28c4a1f4fdc5cb253c0c04597fff0dd2b2977805a4b468844

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        7.4MB

        MD5

        1e6184e69f035751cdd62623b142a6ba

        SHA1

        c084e9f68073a069bb5fcb2db81264955f506937

        SHA256

        8e10cdf4461dac2b623b57c03229bff9bcfcea3649ac090d750f81c69df062d0

        SHA512

        193639e91e8e1b8d9d229725ed488ffcf0fa68a8666b4f2d5c7129ebd282889750f80ca48d2d356ff203f4688949076d45ae1cbbd8d129c01b97aabb2effaf94

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        7.1MB

        MD5

        302d1974ec4f1d8c28a5aaf3d1391591

        SHA1

        afcdc6fd01c3dcc3bb33926b70be0a5438dcc23b

        SHA256

        5bcaaf1f184eee7e816763d13373b5132f752d002eebce40afd99d44d7b86ea3

        SHA512

        bd320f797dca8fd875791c36389028b65a0c1ad00f38de93f40060bd815e776cc26ed8b1f51ff4ef519328c1800db0cb4e48a4925dc6e39517595a2559192048

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        7.4MB

        MD5

        7bd523da767c608b3764dcb0eb625770

        SHA1

        0d438ae9fa61543464e88d3f7a52b4e148933c8c

        SHA256

        97b6916a33b85cc7d5f42093a209a7d47edd30d62db5bab91a86a4cb3e1befb8

        SHA512

        2c969cd18b08883dfccd0314cd7850dc0ab80237c2185e854c5630ade6dc023e715f7076998d86ca170b97591f3455a252022ea0e61829a7e2270a15a22455c6

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\MbixMY.exe
        Filesize

        7.3MB

        MD5

        acbc6552549756e83bbe2ff7d9de1ae2

        SHA1

        ac65eb1d4f637ffe95006441d3c1b586b8a3c1df

        SHA256

        a4363f297f226bec5e65771eca4aa7fcb658178c1dfa0ed254e7daf17bf9f355

        SHA512

        a65043eb4b48ed0f749ca2f27d4404e53f303ca772f3aee2f3e9df1d076fb04f0347f2014a1e405a804892ff2b6a5406378b8f283dda43d56273034d4c83fdae

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\Steam.exe
        Filesize

        15.9MB

        MD5

        8aac8c3763433c4633f9df18099454d8

        SHA1

        488b942dc7da1066a2ca1531319dd91828501b44

        SHA256

        841b830d52ffa466dcf7bc00f47f9097634782b4028ecc512ffb0ffb49107a92

        SHA512

        200aabc46b9d25952906e3f6badab8802dd6fe2d3be598e92792ffdb6c2834042921ae441aae4c6cb8e51b9e1fadd2ad1a30f21ef7d0ff38da002b7b1ed96e7b

        Download Submit

      • \Users\Admin\Desktop\balls\HVCI\kEFZ2K.exe
        Filesize

        1.6MB

        MD5

        7dff9b1cb61e9854e441ea9bb2d058cc

        SHA1

        4bf717cd9ae5ffe9bd57b8fd66499b37ef26bc39

        SHA256

        eb0b3f7b81c3169d04f12a92e007e6c9a6f8ad0aae255f25b29e7de543bc9028

        SHA512

        071818a189dcdf55ac543ea8e10ac4181e749652fbfec4ff04f747d6d0ab11f033b940fead790cd4c979eb3325a982cc6e0389264c354043a6c8ba343f88b5a1

        Download Submit

      • memory/1116-54-0x0000000140000000-0x0000000143226000-memory.dmp

        Filesize

        50.1MB

        Download

      • memory/1116-55-0x0000000140000000-0x0000000143226000-memory.dmp

        Filesize

        50.1MB

        Download

      • memory/1116-62-0x0000000140000000-0x0000000143226000-memory.dmp

        Filesize

        50.1MB

        Download

      • memory/1116-57-0x0000000140000000-0x0000000143226000-memory.dmp

        Filesize

        50.1MB

        Download

      • memory/1116-56-0x0000000140000000-0x0000000143226000-memory.dmp

        Filesize

        50.1MB

        Download

      • memory/2288-40-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2288-38-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2288-39-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2288-44-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2288-41-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2288-37-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2288-43-0x0000000140000000-0x00000001428F1000-memory.dmp

        Filesize

        40.9MB

        Download

      • memory/2724-15-0x0000000000910000-0x0000000000C34000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3068-10-0x0000000001150000-0x0000000001474000-memory.dmp

        Filesize

        3.1MB

        Download