Analysis
-
max time kernel
54s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
09-02-2025 17:17
General
-
Target
rat.exe
-
Size
3.1MB
-
MD5
0ef2261e6587f8b552ec3da98331ff26
-
SHA1
7c8a1b9fd589576d1979c5576219e734ce7a0699
-
SHA256
2dac612eb9e1901ccc9dba9b03680a3a330b4084f0aeb8d543f3c7a595644829
-
SHA512
ab6363753345ede1b29d8ef3a9592e9febbbb25348d77a2f214a0d7e08301f6596c99fbeb1ee6b62edb426454562dc74657f295a876021bba8610b6f9a9c2e34
-
SSDEEP
49152:evHI22SsaNYfdPBldt698dBcjHpxDEDw1k/JxQoGdtTHHB72eh2NT:evo22SsaNYfdPBldt6+dBcjHpxW+
Malware Config
Extracted
quasar
1.4.1
Office01
sabaf-38910.portmap.host:38910
f7356d60-951e-494a-a901-2e12bb084129
-
encryption_key
5C7AC20AEB149D8BC06141FCF79866AD6E3847AD
-
install_name
RuntimeBroker.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
RunTimeBroker
-
subdirectory
System32
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\rat.exe"C:\Users\Admin\AppData\Local\Temp\rat.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RunTimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\RuntimeBroker.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\System32\RuntimeBroker.exe"C:\Windows\system32\System32\RuntimeBroker.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "RunTimeBroker" /sc ONLOGON /tr "C:\Windows\system32\System32\RuntimeBroker.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD50ef2261e6587f8b552ec3da98331ff26
SHA17c8a1b9fd589576d1979c5576219e734ce7a0699
SHA2562dac612eb9e1901ccc9dba9b03680a3a330b4084f0aeb8d543f3c7a595644829
SHA512ab6363753345ede1b29d8ef3a9592e9febbbb25348d77a2f214a0d7e08301f6596c99fbeb1ee6b62edb426454562dc74657f295a876021bba8610b6f9a9c2e34
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB