Overview

overview

10

Static

static

10

Client-built.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    129s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250313-en
  • resource tags

    arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/03/2025, 18:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    875KB

  • MD5

    8c2785d34b3a6e6fbce972117228a9b4

  • SHA1

    673b9eb1f253903c45834dcba09afcef718599e4

  • SHA256

    6a960757025813729fa37ab51a6a7db9c8439d429e078f79717008fc2796b141

  • SHA512

    c2f184d9a265425b190bc3a900083112a46436bc09907ded7baeaa83c9202f66e73bf036dc2738eac35ca41d049d80f77daf3519e9fe23ed2754264314f2497a

  • SSDEEP

    24576:EGcC7Tt+PSWHIPbcNK0KKfaOwI55l2Sszls1j5:XcC7TmEgKKHwCBsza

Score
10/10
quasaroffice04ransomwarespywarestealertrojan

Malware Config

Extracted

Family

quasar

Version

1.5.0

Botnet

Office04

C2

Javv-46764.portmap.host:46764

Mutex

c236c7b5-e333-43a3-a991-954c61518c46

Attributes
  • encryption_key

    F5F31C46BB15BEDDB643667BC441A55E746DE4B8

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Modded Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar family
    quasar
  • Quasar payload 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in System32 directory 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4248
    • C:\Windows\system32\SubDir\Client.exe
      "C:\Windows\system32\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Sets desktop wallpaper using registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:340
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\SubDir\Client.exe
    Filesize

    875KB

    MD5

    8c2785d34b3a6e6fbce972117228a9b4

    SHA1

    673b9eb1f253903c45834dcba09afcef718599e4

    SHA256

    6a960757025813729fa37ab51a6a7db9c8439d429e078f79717008fc2796b141

    SHA512

    c2f184d9a265425b190bc3a900083112a46436bc09907ded7baeaa83c9202f66e73bf036dc2738eac35ca41d049d80f77daf3519e9fe23ed2754264314f2497a

    Download Submit

  • memory/340-10-0x0000024AA6D60000-0x0000024AA6DB0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/340-11-0x0000024AA7080000-0x0000024AA7132000-memory.dmp

    Filesize

    712KB

    Download

  • memory/340-12-0x0000024AA6D10000-0x0000024AA6D5E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/340-15-0x0000024AA7050000-0x0000024AA7062000-memory.dmp

    Filesize

    72KB

    Download

  • memory/340-16-0x0000024AA72D0000-0x0000024AA730C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/340-17-0x0000024AA7290000-0x0000024AA72A6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4248-0-0x00007FF82D1D3000-0x00007FF82D1D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4248-1-0x0000021EF0730000-0x0000021EF0810000-memory.dmp

    Filesize

    896KB

    Download

  • memory/4248-2-0x0000021EF0C30000-0x0000021EF0C4A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4248-3-0x00007FF82D1D0000-0x00007FF82DC92000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4248-9-0x00007FF82D1D0000-0x00007FF82DC92000-memory.dmp

    Filesize

    10.8MB

    Download