Analysis
-
max time kernel
138s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
13-02-2025 02:29
General
-
Target
19a41e1c599835a384e9bf414c7a65e1c60ae261e97e639cd3c0fd9f22afd010.exe
-
Size
3.1MB
-
MD5
c4f9f10a96ad4665cd156ce3d1a9e29c
-
SHA1
10f32538070d3f615e1f2298f94f0250d846c8ed
-
SHA256
19a41e1c599835a384e9bf414c7a65e1c60ae261e97e639cd3c0fd9f22afd010
-
SHA512
fc7277bb2c633c985c8d48c2d3b6936ec62b1c18daa6dd9043c817586eb531aa7116f28c998997b0a14db387dabe22e812957b33ddbed41732ce33afd8c07482
-
SSDEEP
49152:vvyt62XlaSFNWPjljiFa2RoUYIlxPEakWk/LCcoGdIS/THHB72eh2NT:vva62XlaSFNWPjljiFXRoUYIlxS5Y
Malware Config
Extracted
quasar
1.4.1
minecrafter
87.228.57.81:4782
cf3988ab-2fd9-4544-a16f-9faa71eb5bac
-
encryption_key
19A0FAF8459F69650B5965C225752D425C429EEC
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchoost.exe
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 3 IoCs
-
Executes dropped EXE 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19a41e1c599835a384e9bf414c7a65e1c60ae261e97e639cd3c0fd9f22afd010.exe"C:\Users\Admin\AppData\Local\Temp\19a41e1c599835a384e9bf414c7a65e1c60ae261e97e639cd3c0fd9f22afd010.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "svchoost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD5c4f9f10a96ad4665cd156ce3d1a9e29c
SHA110f32538070d3f615e1f2298f94f0250d846c8ed
SHA25619a41e1c599835a384e9bf414c7a65e1c60ae261e97e639cd3c0fd9f22afd010
SHA512fc7277bb2c633c985c8d48c2d3b6936ec62b1c18daa6dd9043c817586eb531aa7116f28c998997b0a14db387dabe22e812957b33ddbed41732ce33afd8c07482
-
Filesize
4KB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
3.1MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB