Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
09-02-2025 13:35
General
-
Target
Client-built.exe
-
Size
3.1MB
-
MD5
9f363517377578ac3d7fbb253dcaaf8d
-
SHA1
d79d53e00bac8145fe06602fe1479d4770d31ab1
-
SHA256
6e17449148526f2169e2d0fdcedd5f599b17e953b29662f74ca0f534ba44589b
-
SHA512
0424519b17c3511124d8a7ab6b9e0700106ef01bb157ded9a99cbcb2b599e6f59ea7b235d35ebfe10c1836680eb449d719790641f72d5504232c4c2bd977e73f
-
SSDEEP
49152:rvCI22SsaNYfdPBldt698dBcjHXAWEpMf/GoGd+THHB72eh2NT:rvP22SsaNYfdPBldt6+dBcjHXAWE5
Malware Config
Extracted
quasar
1.4.1
Office04
wexodi1642-33696.portmap.host:33696
05043f17-0876-45f5-b27b-7f630638e515
-
encryption_key
F4CF0CA55402CFB88BBBA236836AC2C8F476EAF1
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Steam
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Client-built.exe"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\Client.exe"C:\Windows\system32\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Steam" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD59f363517377578ac3d7fbb253dcaaf8d
SHA1d79d53e00bac8145fe06602fe1479d4770d31ab1
SHA2566e17449148526f2169e2d0fdcedd5f599b17e953b29662f74ca0f534ba44589b
SHA5120424519b17c3511124d8a7ab6b9e0700106ef01bb157ded9a99cbcb2b599e6f59ea7b235d35ebfe10c1836680eb449d719790641f72d5504232c4c2bd977e73f
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB