Overview

overview

10

Static

static

10

Client-built.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    13s
  • max time network
    21s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 00:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Client-built.exe

  • Size

    3.3MB

  • MD5

    d5228d8272c425d9aa1af3a1ab93d9fd

  • SHA1

    f88b9a56ed8377a277a8a6b7b09d01779824fae8

  • SHA256

    f1512bfeff65f189db2ba206fe9b51764b67e60526c3d1c0482feff63a4fa95b

  • SHA512

    d92d45cc8ac140e7581d743a365e2a943a983e83195f5e363ebf72ab7ba98a772099103bdb2909728cd65e4262d5505e55e795b1a00bdfb9c8d9df9c852e8741

  • SSDEEP

    49152:0v8go2QSaNpzyPllgamb0CZof/JZXxNESEuk/iWLoGdqITHHB72eh2NT:0vNo2QSaNpzyPllgamYCZof/JBxdY6

Score
10/10
quasarfajnygoscspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

FajnyGosc

C2

none-vocals.gl.at.ply.gg:47745

none-vocals.gl.at.ply.gg:2137

147.185.221.17:2137

147.185.221.17:47745
Mutex

a43b504c-d3c0-453a-96d2-1e0097cafb65

Attributes
  • encryption_key

    AD8872181A3CA4A71BFAE37CA853D97218D094EE

  • install_name

    NewCheats.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Miicrosoft Security

  • subdirectory

    Miicrosoft Security

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Client-built.exe
    "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Windows\SYSTEM32\schtasks.exe
      "schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1676
    • C:\Program Files\Miicrosoft Security\NewCheats.exe
      "C:\Program Files\Miicrosoft Security\NewCheats.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SYSTEM32\schtasks.exe
        "schtasks" /create /tn "Miicrosoft Security" /sc ONLOGON /tr "C:\Program Files\Miicrosoft Security\NewCheats.exe" /rl HIGHEST /f
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4600
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BO2GwlJGBHlf.bat" "
        3⤵
          PID:1668
          • C:\Windows\system32\chcp.com
            chcp 65001
            4⤵
              PID:1900
            • C:\Windows\system32\PING.EXE
              ping -n 10 localhost
              4⤵
              • Runs ping.exe
              PID:3240

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Discovery

      Remote System Discovery

      1
      T1018

      Query Registry

      1
      T1012

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Miicrosoft Security\NewCheats.exe
        Filesize

        3.3MB

        MD5

        d5228d8272c425d9aa1af3a1ab93d9fd

        SHA1

        f88b9a56ed8377a277a8a6b7b09d01779824fae8

        SHA256

        f1512bfeff65f189db2ba206fe9b51764b67e60526c3d1c0482feff63a4fa95b

        SHA512

        d92d45cc8ac140e7581d743a365e2a943a983e83195f5e363ebf72ab7ba98a772099103bdb2909728cd65e4262d5505e55e795b1a00bdfb9c8d9df9c852e8741

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\BO2GwlJGBHlf.bat
        Filesize

        209B

        MD5

        2ae8b3b89b7346e491acc6bbdf3ef67c

        SHA1

        ac2bb7a0f4f5d679760d929af03b211a6ed9fd0d

        SHA256

        2c27e04caabfbc5831401adaeb814d604ba98690ab2b3c7cc1b83805ba0c8b21

        SHA512

        ac6e346c7c517c88149c058de85e1a3c71ab3613a4bee7eca43d94d93ff2278352771512e54b69bc25af84d7b151598335c24aed12053686748e146a423397f8

        Download Submit
      • memory/2168-10-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2168-11-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/2168-13-0x000000001DC40000-0x000000001DCF2000-memory.dmp
        Filesize

        712KB

        Download
      • memory/2168-12-0x000000001BC70000-0x000000001BCC0000-memory.dmp
        Filesize

        320KB

        Download
      • memory/2168-18-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4548-1-0x0000000000630000-0x000000000097E000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4548-0-0x00007FFDAE393000-0x00007FFDAE395000-memory.dmp
        Filesize

        8KB

        Download
      • memory/4548-2-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/4548-9-0x00007FFDAE390000-0x00007FFDAEE51000-memory.dmp
        Filesize

        10.8MB

        Download