Overview

overview

10

Static

static

10

Client-built.exe

windows7-x64

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    69s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 02:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.1MB

  • MD5

    d15aaa22eb03b31937925310c3d36411

  • SHA1

    45898e18f05d508753c7f051f671c21f4f3324e8

  • SHA256

    7c45872682181142c0baf0c738d36ffe0a466c39ea4be1a673b7304426a5606e

  • SHA512

    6127d1216c41ade025c98727a770d45e852978affa441eb45da108334b28c542e144157b070ec931440109d0890c843af305a29dc829bbc27a9d936df6ff982d

  • SSDEEP

    49152:uvbI22SsaNYfdPBldt698dBcjHlXsAdpiLoGdi5zTHHB72eh2NT:uvk22SsaNYfdPBldt6+dBcjHhsH

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

192.168.0.1:8096

Mutex

f897331a-e70c-4b37-9939-0865729f7475

Attributes
  • encryption_key

    1E5FEC53491F397A647C164995877CF2E1897DD5

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 10 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2764
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:5104
    • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4424
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.0.444226076\152344692" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e9f1f7f-0881-4eaf-9178-876c66664ee3} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 1848 1fbf1531758 gpu
        3⤵
          PID:1808
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.1.1223642733\1428713304" -parentBuildID 20230214051806 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {491e89f3-ceff-4b14-a0c3-e7ffb8b7fa63} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 2416 1fbe4689f58 socket
          3⤵
          • Checks processor information in registry
          PID:4024
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.2.788114771\1299258495" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2888 -prefsLen 22150 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fde170af-27a0-4c45-991c-f7daefa7f5d0} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 1644 1fbf3dfad58 tab
          3⤵
            PID:1984
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.3.1289860815\662564329" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c6a472f3-549d-463c-8485-23bfd403c256} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 3660 1fbe467a258 tab
            3⤵
              PID:1364
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.4.1747588756\2068518042" -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5196 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5706fee9-4653-4d37-81c3-d2848fe1fc32} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 5212 1fbf7e57758 tab
              3⤵
                PID:3244
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.5.1076254968\2074653786" -childID 4 -isForBrowser -prefsHandle 5356 -prefMapHandle 5360 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50286d8c-6eb1-460a-be28-7b8eda856d6c} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 5344 1fbf867c758 tab
                3⤵
                  PID:976
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2524.6.2105684516\1098736156" -childID 5 -isForBrowser -prefsHandle 5524 -prefMapHandle 5520 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1296 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45bddfa0-0631-45c4-b659-1f1a2e44efce} 2524 "\\.\pipe\gecko-crash-server-pipe.2524" 5568 1fbf867df58 tab
                  3⤵
                    PID:4432

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Persistence

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Privilege Escalation

              Scheduled Task/Job

              1
              T1053

              Scheduled Task

              1
              T1053.005

              Defense Evasion

              Credential Access

              Discovery

              System Information Discovery

              2
              T1082

              Query Registry

              2
              T1012

              Lateral Movement

              Collection

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s2p9ahae.default-release\activity-stream.discovery_stream.json.tmp
                Filesize

                27KB

                MD5

                cda461e65cca9c4a3a7ba981c2d25e54

                SHA1

                4f1d0d78b90a6ab0efaaad95fa2827d50f442475

                SHA256

                37ffdf3de4a4301b42a88c8f14e8ab56e350070f3728ff7df7236e01e47d9a4a

                SHA512

                302daf7bdabab9956e5ad68d7d540efdd5c9df422a37784e8305aa76cec4faaf5beabc64a27aa5bf582ee5e83858ac72af4afb86935c23fa2b7e496dd87cada8

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\prefs-1.js
                Filesize

                6KB

                MD5

                c042a8a57bd2e9b7a1066a86f090b14d

                SHA1

                389ed93481caa95ef4904246048f42733c5ce5df

                SHA256

                70fd594f8d3f3e7880435345ce3f38b92188da25512585d16218793a82134d41

                SHA512

                e38fb6ec15da982d6af51e17808b565f5e894ab04f7ac458db8bd6561d6ea0a2645b413194ea83f515bd7994960920e4a0c855e691a30adc46e0af99d2e5c0f4

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\prefs.js
                Filesize

                6KB

                MD5

                5ac40f59f743bcb7deb9208dc75369af

                SHA1

                c8dde6d7b64d6849b5a68ffde7423b4526ee4c90

                SHA256

                b9eb2246018e2b814e5f2f2c3e7753bb6f0cbabfd890af4a3803e41c06c36e89

                SHA512

                3f2e0123c207e4110cd2844393a2b7ff868ca5b280d025ad62e7eba82b573ceb18de31d6369275d62e3a2cee940bf1e94ae67479a048ee3aa34f253bd5eafeaa

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\s2p9ahae.default-release\sessionstore.jsonlz4
                Filesize

                903B

                MD5

                e6dc9a2c327428191759232cbdab4e09

                SHA1

                f19d640dcf641aea162b70b3ad89d48aeaf5a848

                SHA256

                10f56e64270f66630ab081459219c4e9bb42c0e05de8e780fbb382d99eaf9956

                SHA512

                4b7efe443a169bceb376103a037720d35ef6336c6975cf0f802c54355716e44309a1f6bdc7773da3904dcb7b85ba0d2217b560ed7068591948d7a62ec2bcdc96

                Download Submit
              • C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
                Filesize

                3.1MB

                MD5

                d15aaa22eb03b31937925310c3d36411

                SHA1

                45898e18f05d508753c7f051f671c21f4f3324e8

                SHA256

                7c45872682181142c0baf0c738d36ffe0a466c39ea4be1a673b7304426a5606e

                SHA512

                6127d1216c41ade025c98727a770d45e852978affa441eb45da108334b28c542e144157b070ec931440109d0890c843af305a29dc829bbc27a9d936df6ff982d

                Download Submit
              • memory/2764-9-0x00007FFB4CC90000-0x00007FFB4D751000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2764-0-0x00007FFB4CC93000-0x00007FFB4CC95000-memory.dmp
                Filesize

                8KB

                Download
              • memory/2764-2-0x00007FFB4CC90000-0x00007FFB4D751000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2764-1-0x0000000000C90000-0x0000000000FB4000-memory.dmp
                Filesize

                3.1MB

                Download
              • memory/3292-10-0x00007FFB4CC90000-0x00007FFB4D751000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3292-11-0x000000001C800000-0x000000001C850000-memory.dmp
                Filesize

                320KB

                Download
              • memory/3292-12-0x000000001C910000-0x000000001C9C2000-memory.dmp
                Filesize

                712KB

                Download
              • memory/3292-8-0x00007FFB4CC90000-0x00007FFB4D751000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3292-133-0x00007FFB4CC90000-0x00007FFB4D751000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3292-134-0x00007FFB4CC90000-0x00007FFB4D751000-memory.dmp
                Filesize

                10.8MB

                Download