Analysis Overview
SHA256
ca7b743a5c9d25017b61f0f3d561409aa558cd9891ad07a61f6726796a3c94dd
Threat Level: Known bad
The file Client-built.exe was found to be: Known bad.
Malicious Activity Summary
LatentBot
Latentbot family
Quasar payload
Quasar RAT
Quasar family
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Runs ping.exe
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-15 13:40
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-15 13:40
Reported
2025-03-15 13:43
Platform
win11-20250314-en
Max time kernel
103s
Max time network
105s
Command Line
Signatures
LatentBot
Latentbot family
Quasar RAT
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client-built.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe
"C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "RuntimeBroker" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe" /rl HIGHEST /f
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /delete /tn "RuntimeBroker" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\klo8I5I4Hchc.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cheezeyballs.zapto.org | udp |
| DE | 91.51.36.43:4847 | cheezeyballs.zapto.org | tcp |
| DE | 195.201.57.90:443 | ipwho.is | tcp |
Files
memory/3572-0-0x00007FF9D7C93000-0x00007FF9D7C95000-memory.dmp
memory/3572-1-0x0000000000FD0000-0x0000000001088000-memory.dmp
memory/3572-2-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp
C:\Users\Admin\AppData\Roaming\Runtime\RuntimeBroker.exe
| MD5 | 34a8c705e2bd75f4956b2cb6fdcef493 |
| SHA1 | 97024b73c67021cdda06b78bb042d1c17e6e38d4 |
| SHA256 | ca7b743a5c9d25017b61f0f3d561409aa558cd9891ad07a61f6726796a3c94dd |
| SHA512 | 6f65a700ac682b1066bd95fe62e9eee1194ca86462833e7b961a7f00b8525fca1d3f6fbf799d9bf0364446552d32913358d47ce15b9ab310b6ae463fa673acf5 |
memory/5988-9-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp
memory/3572-10-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp
memory/5988-11-0x000000001CE00000-0x000000001CE50000-memory.dmp
memory/5988-12-0x000000001CF10000-0x000000001CFC2000-memory.dmp
memory/5988-13-0x000000001CEB0000-0x000000001CEC2000-memory.dmp
memory/5988-14-0x000000001D720000-0x000000001D75C000-memory.dmp
memory/5988-19-0x00007FF9D7C90000-0x00007FF9D8752000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\klo8I5I4Hchc.bat
| MD5 | 6c594fe696d71f8d5226cf485ed6ea2e |
| SHA1 | ec74d1b717eb45d929b540926be0e8dae6e8162f |
| SHA256 | d3a3e171271b6efdb8b42fa1b9cb6e2d34c2d72d06e8f143f32f9e1d2b120ccc |
| SHA512 | 3dc2bf9cc1dc5475ec0869938d557d664acb2cd8daa53bd4194ec5e8302d11834a700f678607e34dc707fc3f72dc0441a8348425da00a44091aea2a9903b51ea |