Analysis
-
max time kernel
146s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
10/03/2025, 17:40
General
-
Target
PatricksParabox.exe.bin.exe
-
Size
3.2MB
-
MD5
0a717705a7797e35b6f5af62ffe43abb
-
SHA1
4c823754c6cebe13ae0aec7ba874318f20445145
-
SHA256
c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
-
SHA512
75d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
-
SSDEEP
98304:zvr62XlaSFNWPjljiFXRoUYITrUCgLEEa1:75ZY2gLEEa1
Malware Config
Extracted
quasar
1.4.1
Hugrix
prxprodquasar.zapto.org:4782
ad6032ec-a1ba-49fe-a6c9-21a847436cda
-
encryption_key
7AB142AC063BEB01BE33EE315E2D0BBA3E071A0B
-
install_name
JavaUpdater.exe
-
log_directory
JavaInstallLogs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
Java
Extracted
latentbot
prxprodquasar.zapto.org
Signatures
-
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
-
Latentbot family
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Drops file in System32 directory 5 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PatricksParabox.exe.bin.exe"C:\Users\Admin\AppData\Local\Temp\PatricksParabox.exe.bin.exe"1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\Java\JavaUpdater.exe"C:\Windows\system32\Java\JavaUpdater.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Windows\system32\Java\JavaUpdater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.2MB
MD50a717705a7797e35b6f5af62ffe43abb
SHA14c823754c6cebe13ae0aec7ba874318f20445145
SHA256c973b6a179d4477cc0d52ca84e6083a679988d991b53cb29573c75668b154f2e
SHA51275d39a3fbbf3b6289330aab45471d497dec51d076dc96bf29b0bc526154bb9502745f08aee14624bca8c7b0f2c5822e2f81a8b959cd8348457015b06a2fe9ead
-
Filesize
8KB
-
Filesize
3.2MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
10.8MB