Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
01-07-2024 04:48
General
-
Target
f8fb11582d89eceb099be971266172a0bc9033d350d5343f09436063adfb3ad7.exe
-
Size
3.2MB
-
MD5
e9ed2adca7e63a58d0895179fc1e121f
-
SHA1
ae23767acd8d4a88b7c69d84e4df5f9733653662
-
SHA256
f8fb11582d89eceb099be971266172a0bc9033d350d5343f09436063adfb3ad7
-
SHA512
7fc5de0e2d85c85592ff935faa5ffa10e33615c8b2d274d28c322764706c2847ee40a9f15c3867cf278981fe2ac3778cbb9b3bd400f6c4064691f9c7c9ff51b0
-
SSDEEP
98304:visDo5sRzG+RVgbtHSB2MqlcY+kd4204+N1o:6uRq+8btHSdA/N
Score
10/10
Malware Config
Extracted
Family
quasar
Version
1.4.1
Botnet
Stereo
C2
nickhill112-30910.portmap.host:30910
Mutex
c93b672f-8b8c-48b8-a712-e952d64b741a
Attributes
-
encryption_key
985DB7D034DB1B5D52F524873569DDDE4080F31C
-
install_name
Stereo.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
update.exe
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 5 IoCs
-
Detects .NET executables utilizing NyanX-CAT C# Loader 6 IoCs
-
Detects Windows executables referencing non-Windows User-Agents 5 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
-
Detects executables containing common artifacts observed in infostealers 5 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f8fb11582d89eceb099be971266172a0bc9033d350d5343f09436063adfb3ad7.exe"C:\Users\Admin\AppData\Local\Temp\f8fb11582d89eceb099be971266172a0bc9033d350d5343f09436063adfb3ad7.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "update.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Stereo.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Roaming\SubDir\Stereo.exe"C:\Users\Admin\AppData\Roaming\SubDir\Stereo.exe"4⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\SubDir\Stereo.exeFilesize
63KB
MD5b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
memory/2276-45-0x00000000013B0000-0x00000000013C2000-memory.dmpFilesize
72KB
-
memory/2476-0-0x0000000074B6E000-0x0000000074B6F000-memory.dmpFilesize
4KB
-
memory/2476-1-0x0000000000EA0000-0x00000000011D6000-memory.dmpFilesize
3.2MB
-
memory/2476-2-0x0000000074B60000-0x000000007524E000-memory.dmpFilesize
6.9MB
-
memory/2476-3-0x0000000074B60000-0x000000007524E000-memory.dmpFilesize
6.9MB
-
memory/2476-4-0x0000000005120000-0x000000000544E000-memory.dmpFilesize
3.2MB
-
memory/2476-22-0x0000000074B60000-0x000000007524E000-memory.dmpFilesize
6.9MB
-
memory/2512-20-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2512-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2512-12-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2512-11-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2512-10-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2512-9-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2512-24-0x0000000004F20000-0x000000000524A000-memory.dmpFilesize
3.2MB
-
memory/2512-17-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2512-15-0x0000000000400000-0x000000000072C000-memory.dmpFilesize
3.2MB
-
memory/2608-21-0x000000006F960000-0x000000006FF0B000-memory.dmpFilesize
5.7MB
-
memory/2608-23-0x000000006F960000-0x000000006FF0B000-memory.dmpFilesize
5.7MB
-
memory/2608-8-0x000000006F961000-0x000000006F962000-memory.dmpFilesize
4KB
-
memory/2760-25-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB
-
memory/2760-30-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB
-
memory/2760-34-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB
-
memory/2760-35-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB
-
memory/2760-31-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB
-
memory/2760-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2760-37-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB
-
memory/2760-27-0x0000000000400000-0x0000000000726000-memory.dmpFilesize
3.1MB