Overview

overview

10

Static

static

10

smss.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    136s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-06-2024 06:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    smss.exe

  • Size

    3.1MB

  • MD5

    e892f6b514297ffa73a5271d66d5180b

  • SHA1

    10f5886d28d48454581af2e05bf3fe3d6fd9b763

  • SHA256

    c65baefaf8047a324638ae5f04d3a0a5557c02ff7e65d99ebd25754272bab2e0

  • SHA512

    a74874e3d909c71c0a458b940b37cece4ffea85af4ad34ec7421289a61eb547955333358e46c4be5ba38d93469226ae264cee2b0a26191c0b1be45a89beb8f33

  • SSDEEP

    49152:LvilL26AaNeWgPhlmVqvMQ7XSKh4RJ6HbR3LoGdafTHHB72eh2NT:LvaL26AaNeWgPhlmVqkQ7XSKh4RJ6Z

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

carolina-reverse.gl.at.ply.gg:34609

Mutex

255a7afd-a9a3-4b9f-b4bc-647ca1724a1a

Attributes
  • encryption_key

    524892BD8A433CE8E6A342E36737F573CEF5D252

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\smss.exe
    "C:\Users\Admin\AppData\Local\Temp\smss.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4384-0-0x00000000002E0000-0x0000000000604000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/4384-1-0x00007FF95A543000-0x00007FF95A544000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4384-2-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/4384-3-0x0000000000E70000-0x0000000000EC0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4384-4-0x000000001B910000-0x000000001B9C2000-memory.dmp
    Filesize

    712KB

    Download
  • memory/4384-7-0x0000000000E30000-0x0000000000E42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4384-8-0x000000001B080000-0x000000001B0BE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/4384-10-0x00007FF95A540000-0x00007FF95AF2C000-memory.dmp
    Filesize

    9.9MB

    Download