quasar | 4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98

Resubmissions

17-06-2021 13:06

210617-e9xpw8561s 10

14-06-2021 16:02

210614-ntxhahdk2n 10

Analysis

max time kernel
130s
max time network
149s
platform
windows10_x64
resource
win10v20210410
submitted
14-06-2021 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCUMENT.EXE
Size

1.1MB
MD5

53964b6a40bfe2b10d36ba5e3d52966a
SHA1

b459111cfb08fb42238e8421583cea226226e769
SHA256

4dcc4adaa8c709d9db205c7267ec6da26930c0420aa54a77fed6217a9e6fdb98
SHA512

03847f73a33a43bf84666db4a70167506d17b567f404098fd5237b704d30d1b35d7d50d2812a1f5c1b735bf13b915a448e3be9f8af9c3cc253f8ae6eacc3fea8

Score

10^/10

quasar spyware trojan

Malware Config

Signatures

Quasar Payload 2 IoCs

resource	yara_rule
behavioral2/memory/4116-126-0x000000000045819E-mapping.dmp	family_quasar
behavioral2/memory/4116-125-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4444 set thread context of 4116	4444	DOCUMENT.EXE	79

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4116	DOCUMENT.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4116	DOCUMENT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79
PID 4444 wrote to memory of 4116	4444	DOCUMENT.EXE	79

C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
"C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE
  "C:\Users\Admin\AppData\Local\Temp\DOCUMENT.EXE"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4116-135-0x0000000006350000-0x0000000006351000-memory.dmp

Filesize
4KB

Download
memory/4116-134-0x0000000005E20000-0x0000000005E21000-memory.dmp

Filesize
4KB

Download
memory/4116-133-0x00000000052E0000-0x00000000052E1000-memory.dmp

Filesize
4KB

Download
memory/4116-132-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/4116-125-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4444-119-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/4444-123-0x00000000060D0000-0x000000000617D000-memory.dmp

Filesize
692KB

Download
memory/4444-124-0x0000000008640000-0x00000000086BA000-memory.dmp

Filesize
488KB

Download
memory/4444-122-0x00000000051E0000-0x000000000527C000-memory.dmp

Filesize
624KB

Download
memory/4444-121-0x0000000005370000-0x000000000538E000-memory.dmp

Filesize
120KB

Download
memory/4444-120-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/4444-114-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4444-118-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/4444-117-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/4444-116-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download