Overview

overview

10

Static

static

10

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    3.1MB

  • MD5

    daf9409eb0c42c801076c1eebc574c9f

  • SHA1

    18312de07c4f7bbc4181850b22d5195d17dd6e7b

  • SHA256

    215f5b71ce3863e06a15912c7c50435e47b7e371d4d5b0aa91141757978ed2ea

  • SHA512

    ef067f9fc07c5a9c100c8dc804cd09492fdeeb4821c939078db1a848b712229e26c5e005851518b31528bf733c27c1d19d9fe6c374fc37a597055c591e09dfd2

  • SSDEEP

    49152:zv0uf2NUaNmwzPWlvdaKM7ZxTwCeRJ6FbR3LoGdaTHHB72eh2NT:zvjf2NUaNmwzPWlvdaB7ZxTwCeRJ6X

Score
10/10
quasaroffice04spywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

C2

history-foo.gl.at.ply.gg:42349

Mutex

51fe5088-4e6f-43ea-a53f-ed49150587aa324254r4r3weff4f45r3ewwtrfrt

Attributes
  • encryption_key

    CBFC5D217E55BEBDCD3A6EFA924299F76BC328D9

  • install_name

    Client.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Update

  • subdirectory

    SubDir

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4128
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /delete /tn "Update" /f
      2⤵
        PID:1508
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kTB11v1eT00V.bat" "
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1920
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:3224
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:1264

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Discovery

      Query Registry

      2
      T1012

      System Information Discovery

      2
      T1082

      Remote System Discovery

      1
      T1018

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\kTB11v1eT00V.bat
        Filesize

        207B

        MD5

        0acadcf2991512029ddfed66af7e9024

        SHA1

        41882b6df340db0dc970182f9a7f279950c6d85d

        SHA256

        4743603294bc3aa630c888abb81a6dca8963e025142c56ed44d4f48b74996e0d

        SHA512

        823bc041307f92ca13fc97e9dc2516187645e09ad31852a255172b77c0bb71db411145796a5afeb31d9d5f290c79f457e6d1830ce4973d27cdc18f2a6116150f

        Download Submit
      • memory/5036-0-0x00007FF942E73000-0x00007FF942E75000-memory.dmp
        Filesize

        8KB

        Download
      • memory/5036-1-0x0000000000780000-0x0000000000AA4000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/5036-2-0x00007FF942E70000-0x00007FF943931000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/5036-3-0x000000001B800000-0x000000001B850000-memory.dmp
        Filesize

        320KB

        Download
      • memory/5036-4-0x000000001BF40000-0x000000001BFF2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/5036-7-0x000000001BEE0000-0x000000001BEF2000-memory.dmp
        Filesize

        72KB

        Download
      • memory/5036-8-0x000000001C640000-0x000000001C67C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/5036-13-0x00007FF942E70000-0x00007FF943931000-memory.dmp
        Filesize

        10.8MB

        Download