quasar | 39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065

Analysis

max time kernel
69s
max time network
47s
platform
windows7_x64
resource
win7-20220414-en
submitted
11-05-2022 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
Size

488KB
MD5

33ce258b07afea582cc317a398b8770c
SHA1

9a81235b698e5477847280626b729f5347ed2585
SHA256

39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065
SHA512

4fbd58e79881313b8c29ccafd9ef7c479e9bbc427869a44981bc4077bd81ed1532c5bcb679e8973470833e18dc5c81a54c69d958030f31f053e92f35a6d2ad66

Score

10^/10

quasar spyware trojan

Malware Config

Extracted

Family

quasar

Attributes

encryption_key
install_name
log_directory
reconnect_delay
3000
startup_key
subdirectory

Signatures

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/memory/1596-56-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1596-58-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def
behavioral1/memory/1596-66-0x0000000000400000-0x00000000004A9000-memory.dmp	disable_win_def

Quasar Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1596-56-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1596-58-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar
behavioral1/memory/1596-66-0x0000000000400000-0x00000000004A9000-memory.dmp	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28
PID 1596 wrote to memory of 1996	1596	39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe	28

C:\Users\Admin\AppData\Local\Temp\39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe
"C:\Users\Admin\AppData\Local\Temp\39f9d2856a3b52e03ecb1c72605afcd0fce0bf5bacc047a0d7d07e8e9edc2065.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- \??\c:\windows\SysWOW64\cmstp.exe
  "c:\windows\system32\cmstp.exe" /au C:\Windows\temp\11pn4yhq.inf
  2⤵
  PID:1996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\temp\11pn4yhq.inf

Filesize
606B

MD5
cc02a4f85e2fdbfe5ecb670c0e44d57e

SHA1
80bfa50636b80e99983c53292a686090d47ddfe4

SHA256
c3331ace5f29225ad436a6fcd4a24496563bd8b29371d4fb25699cdf51399664

SHA512
58928b7d9b7347ed77c6296b231f3c95d56ad2e040a2f300aa6cfcbf2e09254de1bd575f2dab389a5b72e036ecbaee6bcab5c2c685e070ecf6ad94dd823d751d

Download Submit
memory/1596-63-0x00000000772D0000-0x0000000077317000-memory.dmp

Filesize
284KB

Download
memory/1596-65-0x0000000076CE0000-0x0000000076E3C000-memory.dmp

Filesize
1.4MB

Download
memory/1596-57-0x00000000003A0000-0x00000000003E7000-memory.dmp

Filesize
284KB

Download
memory/1596-58-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-60-0x00000000757E0000-0x000000007588C000-memory.dmp

Filesize
688KB

Download
memory/1596-61-0x00000000772D0000-0x0000000077317000-memory.dmp

Filesize
284KB

Download
memory/1596-56-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-54-0x0000000075C51000-0x0000000075C53000-memory.dmp

Filesize
8KB

Download
memory/1596-62-0x0000000076C30000-0x0000000076C87000-memory.dmp

Filesize
348KB

Download
memory/1596-66-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/1596-67-0x00000000768A0000-0x000000007692F000-memory.dmp

Filesize
572KB

Download
memory/1596-69-0x0000000075C50000-0x000000007689A000-memory.dmp

Filesize
12.3MB

Download
memory/1596-73-0x0000000004D35000-0x0000000004D46000-memory.dmp

Filesize
68KB

Download
memory/1596-55-0x0000000075550000-0x000000007559A000-memory.dmp

Filesize
296KB

Download