Overview

overview

10

Static

static

10

PatricksParabox.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    227s
  • max time network
    231s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250217-en
  • resource tags

    arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/03/2025, 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PatricksParabox.exe

  • Size

    3.2MB

  • MD5

    0a717705a7797e35b6f5af62ffe43abb

  • SHA1

    4c823754c6cebe13ae0aec7ba874318f20445145

  • SHA256

    c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

  • SHA512

    75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

  • SSDEEP

    98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1

Score
10/10
latentbotquasarhugrixdiscoveryspywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Hugrix

C2

prxprodquasar.zapto.org:4782

Mutex

ad6032ec-a1ba-49fe-a6c9-21a847436cda

Attributes
  • encryption_key

    7AB142AC063BEB01BE33EE315E2D0BBA3E071A0B

  • install_name

    JavaUpdater.exe

  • log_directory

    JavaInstallLogs

  • reconnect_delay

    3000

  • startup_key

    Java Updater

  • subdirectory

    Java

Extracted

Family

latentbot

C2

prxprodquasar.zapto.org

Signatures

  • LatentBot

    Modular trojan written in Delphi which has been in-the-wild since 2013.

    trojanlatentbot
  • Latentbot family
    latentbot
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\PatricksParabox.exe
    "C:\Users\Admin\AppData\Local\Temp\PatricksParabox.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4524
    • C:\Windows\system32\Java\JavaUpdater.exe
      "C:\Windows\system32\Java\JavaUpdater.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3152
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:804
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd" /K CHCP 437
        3⤵
          PID:3496
          • C:\Windows\system32\chcp.com
            CHCP 437
            4⤵
              PID:2312
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /delete /tn "Java Updater" /f
            3⤵
              PID:1880
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZOovQnq2moy3.bat" "
              3⤵
                PID:4496
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  4⤵
                    PID:1140
                  • C:\Windows\system32\PING.EXE
                    ping -n 10 localhost
                    4⤵
                    • System Network Configuration Discovery: Internet Connection Discovery
                    • Runs ping.exe
                    PID:2404
            • C:\Windows\system32\BackgroundTransferHost.exe
              "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
              1⤵
              • Modifies registry class
              PID:504
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
              1⤵
                PID:2688
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:4740
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe"
                  2⤵
                  • Checks processor information in registry
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2836
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1840 -prefsLen 27611 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ab0ff7c-d017-47e0-9d6f-c5b2835436b2} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" gpu
                    3⤵
                      PID:2012
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 27489 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84cf90fd-3a99-4689-b0ba-78e43d493518} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" socket
                      3⤵
                      • Checks processor information in registry
                      PID:944
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3196 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3224 -prefsLen 27630 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ab022b0-eaf2-46d2-84db-5be4119f25b8} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" tab
                      3⤵
                        PID:248
                      • C:\Program Files\Mozilla Firefox\firefox.exe
                        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3596 -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 2664 -prefsLen 32863 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85c6d376-425e-4a9c-ba43-fa0ff6860409} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" tab
                        3⤵
                          PID:1156
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4692 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4680 -prefMapHandle 4656 -prefsLen 32863 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fcb3994-f46a-45c5-b665-13a185dc7028} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" utility
                          3⤵
                          • Checks processor information in registry
                          PID:4708
                        • C:\Program Files\Mozilla Firefox\firefox.exe
                          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 3 -isForBrowser -prefsHandle 5312 -prefMapHandle 5244 -prefsLen 27007 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef131f6b-bd0c-4fad-aa5c-6ecc59c91104} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" tab
                          3⤵
                            PID:2380
                          • C:\Program Files\Mozilla Firefox\firefox.exe
                            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27007 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c16c6238-ed8d-480a-a9cd-8db34d875d6a} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" tab
                            3⤵
                              PID:1564
                            • C:\Program Files\Mozilla Firefox\firefox.exe
                              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5788 -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5712 -prefsLen 27007 -prefMapSize 244628 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {446d66f6-3dd5-4332-93b3-712bd0e36fad} 2836 "\\.\pipe\gecko-crash-server-pipe.2836" tab
                              3⤵
                                PID:3004

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2nimmy3l.default-release\activity-stream.discovery_stream.json
                            Filesize

                            21KB

                            MD5

                            e708cac2e1953755b3c371f2c919dd8d

                            SHA1

                            7501da4e3443afa916454e95a2fe71a28984191d

                            SHA256

                            7cd4e129faeb7f8d4158a8226339d6290fa5ac01bf0a9f55b5f9624472d89de6

                            SHA512

                            07aa33259800013fe3ab90f23bfca063d1d7c35d61758227dcdfa20a5cfb3caaead232f33c17b6d75278938048dbef60de08a9967a7909278e2273d32f4d4239

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\3e9a255a-6692-45df-8fdb-3af7bcb32513.down_data
                            Filesize

                            555KB

                            MD5

                            5683c0028832cae4ef93ca39c8ac5029

                            SHA1

                            248755e4e1db552e0b6f8651b04ca6d1b31a86fb

                            SHA256

                            855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

                            SHA512

                            aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Temp\ZOovQnq2moy3.bat
                            Filesize

                            203B

                            MD5

                            af0daa6db7b591361bcb27dd7ae6f8b6

                            SHA1

                            d12471b2615f32b97cf58ba29c4e1bb99e06023d

                            SHA256

                            d3be93f5423f856d5782479b0433f3212f520f932ba41b62986c90a246b42618

                            SHA512

                            8c5f245460d1f13e68382c89b740e8785458f33e616d8a1e464e948866733a8959b567078ef195b822659b1ed56a6e342418227e62daa0b7dd68a3e2f5293c57

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp
                            Filesize

                            5KB

                            MD5

                            9ab6a4fc216d44ab5fa992db00b653ac

                            SHA1

                            793568ce7f6b8f2d57c13aadf6fdda9aac3a6c53

                            SHA256

                            8f45cf1cc43ea180c8799a665dbf2a01802f2dd5d9bbae5e1dc900569acd2823

                            SHA512

                            0e03921968e8b28b2fb1f71bb1aedc2d7747ec6b3b8111bf161f2f21a086ba9a30c919bbc276ec7afdb0461da579ef69368d8f4580a63d5c244c40f3d311e8b7

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\db\data.safe.tmp
                            Filesize

                            5KB

                            MD5

                            15b8f4265d55a641fa5807a6ce7e5aa6

                            SHA1

                            e88792ae7f83040a420165db5d5d152ca8bcf7b5

                            SHA256

                            2469e78d0b7f8be43f11281f444aead53fb057cf6635ef9651acd0f005f6347d

                            SHA512

                            7b8afaceedf4f6571818728a48b2e339ba46a45962993144a5b2234f00dc781db3f153e9cf9532972f431957a5dad6e63a0ea902f937766a30894505e7e3a7b5

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\2e5bae5a-c03e-4610-bd56-51ea543ccf3f
                            Filesize

                            982B

                            MD5

                            162f74b85cd15f414c88f8c7580caef6

                            SHA1

                            77790c2cb0504a01b9f233748bc1d0d90b25fecc

                            SHA256

                            b2d19222b96829956b0396e70130ad900744a5e17f84abbe14dd92ca9aefa45b

                            SHA512

                            93acb1c2360cf350625965b566d773e3e2b91dabfce715075c159ccbfa255f5ca9142f95eee0f91698b13169817b447d6d558a6199ea80c2bcaa0fd1e1b96a40

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\e3a6186f-4bbe-445c-a7c1-71c97827d114
                            Filesize

                            671B

                            MD5

                            e1e36679184bab6d476a81f1a9b42c23

                            SHA1

                            15d815005cc576cc34f3df2c4dacfa96207debb4

                            SHA256

                            e1af3dc223f65c1359dccc51778a9e2ef8b5ee6a7452e599deda4d27068673dd

                            SHA512

                            9e7ba1152cee5c7024196c520d42c5aa56d6cd5224925c72106c7fbaad1382e80aac723ee46b108ce1294154ffb24065399022a6e29844b6762ed9db818fa42e

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\datareporting\glean\pending_pings\fa8053bd-738d-4b34-bf31-1ed73a7da6fb
                            Filesize

                            25KB

                            MD5

                            4aae7ed438bc8a9d54dc12dae5f30371

                            SHA1

                            227ddd73df6777c975e160509d72a33ae6be6411

                            SHA256

                            b79bfd7c9927341db17613fe84ca0b466eabec5d0259d9bc009dd2f45f178baa

                            SHA512

                            9cb5fc4eb55306e82911f6b19f5c11786b7bb86744e2f9a407a0fe357f0ba0c07fc2fa7119cc5d31d6393df07fa66dee86e257699125c8a393081c25776f9b59

                            Download Submit

                          • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2nimmy3l.default-release\prefs-1.js
                            Filesize

                            9KB

                            MD5

                            ac183ffe0044c9322c1a1a81803bb247

                            SHA1

                            13eca0d5146789cc98620e637f54a268558e5e4a

                            SHA256

                            5cba45ea051466d0647c9f730716af65e24ae040d39f21859d76ea3159a9430d

                            SHA512

                            b9bf6d2d7974aba4ab0b9c21dc7987821378190f396682ed755c3a2dfaf22f503b74a887c848012e44d6b4372ff1a60eb57efa0e70f035153a6553fdc8ee28ce

                            Download Submit

                          • C:\Windows\System32\Java\JavaUpdater.exe
                            Filesize

                            3.2MB

                            MD5

                            0a717705a7797e35b6f5af62ffe43abb

                            SHA1

                            4c823754c6cebe13ae0aec7ba874318f20445145

                            SHA256

                            c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e

                            SHA512

                            75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead

                            Download Submit

                          • memory/3012-1-0x0000000000A00000-0x0000000000D3E000-memory.dmp

                            Filesize

                            3.2MB

                            Download

                          • memory/3012-2-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3012-10-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3012-0-0x00007FFC1B673000-0x00007FFC1B675000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/3152-11-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3152-12-0x000000001C620000-0x000000001C670000-memory.dmp

                            Filesize

                            320KB

                            Download

                          • memory/3152-13-0x000000001C730000-0x000000001C7E2000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/3152-16-0x000000001C6F0000-0x000000001C702000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/3152-25-0x000000001DE60000-0x000000001E388000-memory.dmp

                            Filesize

                            5.2MB

                            Download

                          • memory/3152-18-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3152-9-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/3152-372-0x000000001D5C0000-0x000000001D68D000-memory.dmp

                            Filesize

                            820KB

                            Download

                          • memory/3152-382-0x000000001D5C0000-0x000000001D68D000-memory.dmp

                            Filesize

                            820KB

                            Download

                          • memory/3152-17-0x000000001D380000-0x000000001D3BC000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/3152-384-0x00007FFC1B670000-0x00007FFC1C132000-memory.dmp

                            Filesize

                            10.8MB

                            Download