Overview

overview

10

Static

static

3

Nueva Orde...ra.exe

windows7-x64

10

Nueva Orde...ra.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    291s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    14-02-2025 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nueva Orden de Compra.exe

  • Size

    899KB

  • MD5

    da4bdaef912fbec33c8f6c787c951420

  • SHA1

    db3d1d6ee8647c350d19bbc0bb0509811373d436

  • SHA256

    5017f298316f0ee887a1251d0cff9549d98feb8fbca8a4cdf83ef2ade555adb2

  • SHA512

    9673db99e7e194d7e9c402f6066f14245f9cc5e1ab133ad7b45a76f4c2c7d1b3d9d3c14974fe469bda6e959223205ebd2b047e486b17bd2ed8f3d8c6221540a6

  • SSDEEP

    24576:AvjQG02u/rcfrYbJ1G3FroaICdyk6ljh:eQwercsbXONoaPds

Score
10/10
quasarstroy3discoveryspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Stroy3

C2

twentyfivev.crabdance.com:61538

127.0.0.1:61538
Mutex

QSR_MUTEX_jgYB0FbAXwuBLBMCAM

Attributes
  • encryption_key

    7ghxCAmzO7RIdS51gVaQ

  • install_name

    cpdater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    cindows cpdater

  • subdirectory

    cindows

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe
    "C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe
      "C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks" /create /tn "cindows cpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe" /rl HIGHEST /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2184
      • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
        "C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2616
        • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
          C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2224
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "cindows cpdater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe" /rl HIGHEST /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:2816
        • C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
          C:\Users\Admin\AppData\Roaming\cindows\cpdater.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1524
    • C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe
      "C:\Users\Admin\AppData\Local\Temp\Nueva Orden de Compra.exe"
      2⤵
        PID:2896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Roaming\cindows\cpdater.exe
      Filesize

      899KB

      MD5

      da4bdaef912fbec33c8f6c787c951420

      SHA1

      db3d1d6ee8647c350d19bbc0bb0509811373d436

      SHA256

      5017f298316f0ee887a1251d0cff9549d98feb8fbca8a4cdf83ef2ade555adb2

      SHA512

      9673db99e7e194d7e9c402f6066f14245f9cc5e1ab133ad7b45a76f4c2c7d1b3d9d3c14974fe469bda6e959223205ebd2b047e486b17bd2ed8f3d8c6221540a6

      Download Submit

    • memory/2492-11-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2492-2-0x0000000006F90000-0x0000000007096000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2492-3-0x00000000001A0000-0x00000000001A6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2492-4-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2492-1-0x0000000000D50000-0x0000000000E36000-memory.dmp

      Filesize

      920KB

      Download

    • memory/2492-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2616-21-0x0000000000E70000-0x0000000000F56000-memory.dmp

      Filesize

      920KB

      Download

    • memory/2784-10-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2784-7-0x0000000000400000-0x000000000045E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/2784-12-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2784-13-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2784-9-0x0000000000400000-0x000000000045E000-memory.dmp

      Filesize

      376KB

      Download

    • memory/2784-20-0x0000000074C60000-0x000000007534E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2784-5-0x0000000000400000-0x000000000045E000-memory.dmp

      Filesize

      376KB

      Download