Analysis
-
max time kernel
133s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
20/04/2025, 10:40
General
-
Target
2025-04-20_ac8e7f19e4d3e6ad8bdabd57dc79063e_black-basta_cobalt-strike_satacom.exe
-
Size
1.5MB
-
MD5
ac8e7f19e4d3e6ad8bdabd57dc79063e
-
SHA1
2dcf6ea2e23dd4f1b774693cde1555b02abd28c9
-
SHA256
77a7cd3a32b8f2034e427b8d7ca740a6c4f9e0bc79d4b7eddd7922668ef9f24a
-
SHA512
ffc28fa7cca91a15263e86d973dbdfc19dd1030c46b822d9b01ab4582b6d787dc3c18a10dbd9824d69e25403c1f61456fdf31030fb853a49aff190ac7e47016a
-
SSDEEP
24576:xEeqQq3KnmI5yjNeGNcZQg0pWdKZGzgDv7hEiOTVGT6QZhkVyYtW:xEuq6mAyjMGNcZOWdsz7exq/kVRtW
Malware Config
Extracted
quasar
1.4.1
Java
192.168.1.33:4782
dbd83e28-626e-4246-bc34-1a191d13a0d2
-
encryption_key
F99A16169D9E428A1B70483052E7EC2C3781496E
-
install_name
javaupdater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
java
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar family
-
Quasar payload 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-04-20_ac8e7f19e4d3e6ad8bdabd57dc79063e_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-04-20_ac8e7f19e4d3e6ad8bdabd57dc79063e_black-basta_cobalt-strike_satacom.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\java.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\java.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java" /sc ONLOGON /tr "C:\Windows\system32\SubDir\javaupdater.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\system32\SubDir\javaupdater.exe"C:\Windows\system32\SubDir\javaupdater.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "java" /sc ONLOGON /tr "C:\Windows\system32\SubDir\javaupdater.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.1MB
MD58bb0dc5d9a0aa31d1220b8a5c841d63f
SHA19db89465ff40e3d2a527fd32415edec54375a579
SHA2566db909315993c048d5236ff97c4c3ff648de6ea67850b3c33cbbc33e779dd5bf
SHA512cd9c638ee17a05c71161967a0ace7381d84f4a0142d9324110f6c785a0ee150a23760f7bd64f7db3203823fd4a8a6430f63260585ed148fde802c2fb57a4dcc4
-
Filesize
8KB
-
Filesize
3.1MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
712KB
-
Filesize
320KB