Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1182s
  • max time network
    1198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 01:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    b018c0668393c4dacd6762427a6e44b1

  • SHA1

    18060acb5dcf4794033eeb9840a30eb9a3ec1a7d

  • SHA256

    4e1d105b9086b1dc86ad06aa3e2653d9f5f34e127bd07889dc63262b6b99bd0f

  • SHA512

    cc94294aff5677618e4c1a62c2b08e3deb5f17e1bf4d0907ae8f22d4c34e3762da33d4d40e69e93c3c954a9c18d955c409bac1b5b89482376b39e4a20682a25c

  • SSDEEP

    49152:DvrI22SsaNYfdPBldt698dBcjHjOLVrnMfG3oGdNTHHB72eh2NT:DvU22SsaNYfdPBldt6+dBcjHjQVrl

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.100.103:4782

Mutex

57e04f96-6972-408c-aaf5-69b9178499bb

Attributes
  • encryption_key

    7418B88D83825E6FE1BDFAC1C4F00C0BCC5250AC

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3372
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1500
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:5064
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    Filesize

    3.1MB

    MD5

    b018c0668393c4dacd6762427a6e44b1

    SHA1

    18060acb5dcf4794033eeb9840a30eb9a3ec1a7d

    SHA256

    4e1d105b9086b1dc86ad06aa3e2653d9f5f34e127bd07889dc63262b6b99bd0f

    SHA512

    cc94294aff5677618e4c1a62c2b08e3deb5f17e1bf4d0907ae8f22d4c34e3762da33d4d40e69e93c3c954a9c18d955c409bac1b5b89482376b39e4a20682a25c

    Download Submit
  • memory/3372-0-0x00007FFEE9033000-0x00007FFEE9035000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3372-1-0x00000000002B0000-0x00000000005D4000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3372-2-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3372-9-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5064-10-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5064-11-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/5064-12-0x000000001D660000-0x000000001D6B0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/5064-13-0x000000001D770000-0x000000001D822000-memory.dmp
    Filesize

    712KB

    Download
  • memory/5064-14-0x00007FFEE9030000-0x00007FFEE9AF1000-memory.dmp
    Filesize

    10.8MB

    Download