Analysis
-
max time kernel
48s -
max time network
40s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
-
submitted
02-07-2024 17:34
General
-
Target
bound.exe
-
Size
348KB
-
MD5
0ae23c1f2280f21b756d59c3590f1f9e
-
SHA1
b2f42f4f3cc053a41c2c5a4b981e3951ece66632
-
SHA256
e2ccf4d25499df5ed69b0b1a8d78c159c6873a86bfe8b3e07eae41516b3d6709
-
SHA512
5989bd7704a9f7cfb608d347f2c4ad262165f093078a55675418953b81a1346a80fb8c61031b8a2ed6d8548376691b1f2d8e076b0d77964d17178292d931aae2
-
SSDEEP
6144:nm2NHXf500MCB/7JWQ7vVjvVDpGbMODP43YxpG+kN8/xM/y:Nd5089W8pMDPZxJ085uy
Malware Config
Extracted
quasar
1.3.0.0
NEW
hanezack.ddns.net:1005
QSR_MUTEX_pnKSaWFUwQX1pUWVc9
-
encryption_key
dFDp0i8Pk4OpqeTcstEK
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 1 IoCs
-
Deletes itself 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bound.exe"C:\Users\Admin\AppData\Local\Temp\bound.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\12a65O83u0Rb.bat" "2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost3⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\12a65O83u0Rb.batFilesize
257B
MD58683ea09aee1d7a56a06c46e1d8144a7
SHA10912520fd9d16e6514f23920d26af071766e650e
SHA256cc7e1b8463385e328cb5892cf4be88873d5155eb9a25c480fa55f6b40589b73c
SHA512df833c7dc8076f833a5c461fce928b49193b359403eb86b6645f5ec622dd34beec4e55ef8da3a6a5cc2081793fe47e48ebe06ae7fd87fd68978a19ff6c3f05c0
-
C:\Users\Admin\AppData\Roaming\Logs\07-02-~1Filesize
224B
MD5400614406d464d9db2ac2df8c36e013a
SHA1575624fb44150324e78ee114dc90d2ff47110176
SHA2568abcc4293f2b33bdde6504dd1ce04345a3a08f3875f7b5ec4def2d03797fe5f2
SHA512eb3ec09ae61e9215a6d522e0cb3e00b33b2df255f562e29d17da0af930cf3898c920465f0dd508cfa15bf9f871e4df21607e31cbcc857309e7b436b6118cdf89
-
memory/2344-0-0x000000007476E000-0x000000007476F000-memory.dmpFilesize
4KB
-
memory/2344-1-0x0000000000B60000-0x0000000000BBE000-memory.dmpFilesize
376KB
-
memory/2344-2-0x0000000074760000-0x0000000074E4E000-memory.dmpFilesize
6.9MB
-
memory/2344-4-0x000000007476E000-0x000000007476F000-memory.dmpFilesize
4KB
-
memory/2344-5-0x0000000074760000-0x0000000074E4E000-memory.dmpFilesize
6.9MB
-
memory/2344-15-0x0000000074760000-0x0000000074E4E000-memory.dmpFilesize
6.9MB