quasar | 7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22/11/2022, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe
Size

502KB
MD5

16db55265ceb495867c35c68a1b672ab
SHA1

1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4
SHA256

7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40
SHA512

bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d
SSDEEP

6144:MTEgdc0Y5ebGbXOsA6j1RdhQA3CpXJ9J6jFivvvcE6Ob8F9ogRXOc0UblHcTR36:MTEgdfYhA6bGqKKpNeYlHcd6

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

eggsbenedict.onthewifi.com:2448

Mutex

047fff9d-5ae7-4a17-a172-45ccd40ba62f

Attributes

encryption_key
28D26D97888ABDC848F4C65C4EE630CCEF1C1B67
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 12 IoCs

resource	yara_rule
behavioral1/memory/1212-54-0x00000000011B0000-0x0000000001234000-memory.dmp	family_quasar
behavioral1/files/0x0009000000012722-57.dat	family_quasar
behavioral1/files/0x0009000000012722-58.dat	family_quasar
behavioral1/memory/1524-59-0x0000000000DF0000-0x0000000000E74000-memory.dmp	family_quasar
behavioral1/files/0x0009000000012722-66.dat	family_quasar
behavioral1/memory/1484-67-0x00000000001A0000-0x0000000000224000-memory.dmp	family_quasar
behavioral1/files/0x0009000000012722-74.dat	family_quasar
behavioral1/memory/432-75-0x0000000000210000-0x0000000000294000-memory.dmp	family_quasar
behavioral1/files/0x0009000000012722-82.dat	family_quasar
behavioral1/memory/1468-83-0x0000000000960000-0x00000000009E4000-memory.dmp	family_quasar
behavioral1/files/0x0009000000012722-90.dat	family_quasar
behavioral1/memory/268-91-0x0000000000AB0000-0x0000000000B34000-memory.dmp	family_quasar

Executes dropped EXE 5 IoCs

pid	Process
1524	Client.exe
1484	Client.exe
432	Client.exe
1468	Client.exe
268	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1104	PING.EXE
540	PING.EXE
1684	PING.EXE
1128	PING.EXE
960	PING.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe
Token: SeDebugPrivilege	1524	Client.exe
Token: SeDebugPrivilege	1484	Client.exe
Token: SeDebugPrivilege	432	Client.exe
Token: SeDebugPrivilege	1468	Client.exe
Token: SeDebugPrivilege	268	Client.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1524	Client.exe
1484	Client.exe
432	Client.exe
1468	Client.exe
268	Client.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1524	Client.exe
1484	Client.exe
432	Client.exe
1468	Client.exe
268	Client.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1524	1212	7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe	28
PID 1212 wrote to memory of 1524	1212	7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe	28
PID 1212 wrote to memory of 1524	1212	7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe	28
PID 1524 wrote to memory of 1496	1524	Client.exe	29
PID 1524 wrote to memory of 1496	1524	Client.exe	29
PID 1524 wrote to memory of 1496	1524	Client.exe	29
PID 1496 wrote to memory of 1020	1496	cmd.exe	31
PID 1496 wrote to memory of 1020	1496	cmd.exe	31
PID 1496 wrote to memory of 1020	1496	cmd.exe	31
PID 1496 wrote to memory of 1104	1496	cmd.exe	32
PID 1496 wrote to memory of 1104	1496	cmd.exe	32
PID 1496 wrote to memory of 1104	1496	cmd.exe	32
PID 1496 wrote to memory of 1484	1496	cmd.exe	33
PID 1496 wrote to memory of 1484	1496	cmd.exe	33
PID 1496 wrote to memory of 1484	1496	cmd.exe	33
PID 1484 wrote to memory of 1812	1484	Client.exe	34
PID 1484 wrote to memory of 1812	1484	Client.exe	34
PID 1484 wrote to memory of 1812	1484	Client.exe	34
PID 1812 wrote to memory of 528	1812	cmd.exe	36
PID 1812 wrote to memory of 528	1812	cmd.exe	36
PID 1812 wrote to memory of 528	1812	cmd.exe	36
PID 1812 wrote to memory of 540	1812	cmd.exe	37
PID 1812 wrote to memory of 540	1812	cmd.exe	37
PID 1812 wrote to memory of 540	1812	cmd.exe	37
PID 1812 wrote to memory of 432	1812	cmd.exe	38
PID 1812 wrote to memory of 432	1812	cmd.exe	38
PID 1812 wrote to memory of 432	1812	cmd.exe	38
PID 432 wrote to memory of 1144	432	Client.exe	39
PID 432 wrote to memory of 1144	432	Client.exe	39
PID 432 wrote to memory of 1144	432	Client.exe	39
PID 1144 wrote to memory of 1756	1144	cmd.exe	41
PID 1144 wrote to memory of 1756	1144	cmd.exe	41
PID 1144 wrote to memory of 1756	1144	cmd.exe	41
PID 1144 wrote to memory of 1684	1144	cmd.exe	42
PID 1144 wrote to memory of 1684	1144	cmd.exe	42
PID 1144 wrote to memory of 1684	1144	cmd.exe	42
PID 1144 wrote to memory of 1468	1144	cmd.exe	43
PID 1144 wrote to memory of 1468	1144	cmd.exe	43
PID 1144 wrote to memory of 1468	1144	cmd.exe	43
PID 1468 wrote to memory of 1740	1468	Client.exe	44
PID 1468 wrote to memory of 1740	1468	Client.exe	44
PID 1468 wrote to memory of 1740	1468	Client.exe	44
PID 1740 wrote to memory of 1036	1740	cmd.exe	46
PID 1740 wrote to memory of 1036	1740	cmd.exe	46
PID 1740 wrote to memory of 1036	1740	cmd.exe	46
PID 1740 wrote to memory of 1128	1740	cmd.exe	47
PID 1740 wrote to memory of 1128	1740	cmd.exe	47
PID 1740 wrote to memory of 1128	1740	cmd.exe	47
PID 1740 wrote to memory of 268	1740	cmd.exe	48
PID 1740 wrote to memory of 268	1740	cmd.exe	48
PID 1740 wrote to memory of 268	1740	cmd.exe	48
PID 268 wrote to memory of 1060	268	Client.exe	50
PID 268 wrote to memory of 1060	268	Client.exe	50
PID 268 wrote to memory of 1060	268	Client.exe	50
PID 1060 wrote to memory of 1624	1060	cmd.exe	51
PID 1060 wrote to memory of 1624	1060	cmd.exe	51
PID 1060 wrote to memory of 1624	1060	cmd.exe	51
PID 1060 wrote to memory of 960	1060	cmd.exe	52
PID 1060 wrote to memory of 960	1060	cmd.exe	52
PID 1060 wrote to memory of 960	1060	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe
"C:\Users\Admin\AppData\Local\Temp\7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\vaN5MaqHBBfT.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1020
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      Runs ping.exe
      PID:1104
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\IKQVMvDOeg3l.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:528
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:540
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\LMh3F4ynJwIs.bat" "
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\ieW3ZrtjcokB.bat" "
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        Runs ping.exe
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\YQv2k6Q4lojz.bat" "
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IKQVMvDOeg3l.bat

Filesize
207B

MD5
16dd3b67176bb54da8ca066b502d3026

SHA1
e23fe5ed57cbd366ca6752ec7a42a7f1ee268255

SHA256
47ad11c37ea77d48291b7d800f7484828471ede609f314cf08c2b7b3d2220df9

SHA512
6617d3b46c0303603c02084fb2d796c74ae12e696e65d5ba5611d64b85ecb2d8c1d0c36f429ce0ab3b7f5a2a783fdbf73e6fd6e4568ee710dc701650b3aa622e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LMh3F4ynJwIs.bat

Filesize
207B

MD5
55212df7cbe967dd3941d0c96694c9bc

SHA1
cd25db73f78fd09487affdd62db93dd39326dfec

SHA256
abcae2a8f9e428dae2c5069f929517ea3923d60d53d2cabf3fff579ae05441e2

SHA512
f65c85e9226fdcd31172b65508af28e9c37e75da46c839f912d74ff8b98ff9c3eb2accf0e7fab162fb34b97c1eaf9402fbe019eac27fd837ad9fd5f5a4892950

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQv2k6Q4lojz.bat

Filesize
207B

MD5
d266817d904ae0499eeb60d245da0a5a

SHA1
a4b59f8d4ab0c138863f710e56b044f6e5bc9b7a

SHA256
41c1579be323790a033eb70f86311a9f12d1ab43eee55e0bdd6a864e6c9243f4

SHA512
44fb9a2dd73029808801a618e7af269863297434a5c9648c35f852f728eba70f429735f5690fdc8e48734a89a05fabe5740802f937604e393380556b06acc6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ieW3ZrtjcokB.bat

Filesize
207B

MD5
1b8577014fc1a82bd121c35cefa7d23e

SHA1
f21cd58cf6b4245ea3517055e2433642f440dbad

SHA256
41b43ccaea53d0c0eaf35d0f36d0ff27e18effabd3cf36e749b8b712376e90c6

SHA512
daf729f2b6773d87de83606aad8e60c7776e989286eef07c613408b4e96ad5c7f30b9acb2197a6fc86dbb4283551a2bd2097b0dcc5b95842d77bb71f50c2d6d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vaN5MaqHBBfT.bat

Filesize
207B

MD5
282ce27fd4609331c3a12fb1612ab241

SHA1
f7b60573bfd1904060127a91fd489f297b58ef26

SHA256
97f3a2825399243f3d2e7632b54726399b789df2ec9002d20841ffe335ffb52a

SHA512
f6cf5f8ce5e3e3f562b6ff8f46fb20cd15abbabc779c86f973a6ec907fc30816148cf270ae2bd1d2e2bee1b70847ddb02a68eea773c24353781b2f065073a1c3

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
16db55265ceb495867c35c68a1b672ab

SHA1
1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4

SHA256
7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

SHA512
bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
16db55265ceb495867c35c68a1b672ab

SHA1
1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4

SHA256
7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

SHA512
bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
16db55265ceb495867c35c68a1b672ab

SHA1
1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4

SHA256
7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

SHA512
bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
16db55265ceb495867c35c68a1b672ab

SHA1
1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4

SHA256
7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

SHA512
bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
16db55265ceb495867c35c68a1b672ab

SHA1
1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4

SHA256
7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

SHA512
bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
502KB

MD5
16db55265ceb495867c35c68a1b672ab

SHA1
1b18cb285e91c3f9c78f4f3a18a8baf5df6b6fc4

SHA256
7697ebe5ea4766b1653f58aa24327679b35fa917877568238ac306a913289b40

SHA512
bc4dde6ef69c606753d05fd303b0385d5dec303ce2b399de37e29dd2c085c53e47309381f34b503f87d27a66420c1c21ba8c98c81490c3614f679b8bfc034a6d

Download Submit
memory/268-91-0x0000000000AB0000-0x0000000000B34000-memory.dmp

Filesize
528KB

Download
memory/432-75-0x0000000000210000-0x0000000000294000-memory.dmp

Filesize
528KB

Download
memory/1212-55-0x000007FEFC071000-0x000007FEFC073000-memory.dmp

Filesize
8KB

Download
memory/1212-54-0x00000000011B0000-0x0000000001234000-memory.dmp

Filesize
528KB

Download
memory/1468-83-0x0000000000960000-0x00000000009E4000-memory.dmp

Filesize
528KB

Download
memory/1484-67-0x00000000001A0000-0x0000000000224000-memory.dmp

Filesize
528KB

Download
memory/1524-59-0x0000000000DF0000-0x0000000000E74000-memory.dmp

Filesize
528KB

Download