Malware Analysis Report

2025-04-14 05:07

Sample ID 221228-2z5ahabh45
Target Shut.exe
SHA256 fc6402f6df918d0307ea6e033afebf90fde69ca6b74dc6af4d97423d00518c45
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fc6402f6df918d0307ea6e033afebf90fde69ca6b74dc6af4d97423d00518c45

Threat Level: Known bad

The file Shut.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-28 23:02

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-28 23:02

Reported

2022-12-28 23:04

Platform

win7-20220812-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Shut.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\D3SD\explorer.exe C:\Windows\system32\D3SD\explorer.exe N/A
File opened for modification C:\Windows\system32\D3SD C:\Windows\system32\D3SD\explorer.exe N/A
File created C:\Windows\system32\D3SD\explorer.exe C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
File opened for modification C:\Windows\system32\D3SD\explorer.exe C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
File opened for modification C:\Windows\system32\D3SD C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\D3SD\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Shut.exe

"C:\Users\Admin\AppData\Local\Temp\Shut.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Shut.exe" /rl HIGHEST /f

C:\Windows\system32\D3SD\explorer.exe

"C:\Windows\system32\D3SD\explorer.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Windows\system32\D3SD\explorer.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 193.149.176.156:8080 tcp
N/A 193.149.176.156:8080 tcp
N/A 193.149.176.156:8080 tcp
N/A 193.149.176.156:8080 tcp
N/A 193.149.176.156:8080 tcp
N/A 193.149.176.156:8080 tcp
N/A 193.149.176.156:8080 tcp

Files

memory/1944-54-0x0000000000250000-0x00000000002D4000-memory.dmp

memory/1944-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

memory/1676-56-0x0000000000000000-mapping.dmp

memory/1720-57-0x0000000000000000-mapping.dmp

C:\Windows\system32\D3SD\explorer.exe

MD5 225bee869cfc364982f132a8b9320f1e
SHA1 3d13fdd4c3781a3fe0b279f5480b88150cdc1ada
SHA256 fc6402f6df918d0307ea6e033afebf90fde69ca6b74dc6af4d97423d00518c45
SHA512 e17a17f41d57dbf28fa775926e2085e19b5583c5399b2e5d36466c0d4ee70bf2eb3d3c2ae079995bcf1eee5e9c3aaa0c84fbf462dd0d8c6e5591ae2a1210a871

C:\Windows\System32\D3SD\explorer.exe

MD5 225bee869cfc364982f132a8b9320f1e
SHA1 3d13fdd4c3781a3fe0b279f5480b88150cdc1ada
SHA256 fc6402f6df918d0307ea6e033afebf90fde69ca6b74dc6af4d97423d00518c45
SHA512 e17a17f41d57dbf28fa775926e2085e19b5583c5399b2e5d36466c0d4ee70bf2eb3d3c2ae079995bcf1eee5e9c3aaa0c84fbf462dd0d8c6e5591ae2a1210a871

memory/1720-60-0x00000000009F0000-0x0000000000A74000-memory.dmp

memory/944-62-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-28 23:02

Reported

2022-12-28 23:04

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Shut.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\D3SD C:\Windows\system32\D3SD\explorer.exe N/A
File created C:\Windows\system32\D3SD\explorer.exe C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
File opened for modification C:\Windows\system32\D3SD\explorer.exe C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
File opened for modification C:\Windows\system32\D3SD C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
File opened for modification C:\Windows\system32\D3SD\explorer.exe C:\Windows\system32\D3SD\explorer.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Shut.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\D3SD\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\D3SD\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Shut.exe

"C:\Users\Admin\AppData\Local\Temp\Shut.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Shut.exe" /rl HIGHEST /f

C:\Windows\system32\D3SD\explorer.exe

"C:\Windows\system32\D3SD\explorer.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Defender" /sc ONLOGON /tr "C:\Windows\system32\D3SD\explorer.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 20.123.104.105:443 tcp
N/A 193.149.176.156:8080 tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.156:443 api.ipify.org tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 104.80.225.205:443 tcp
N/A 93.184.220.29:80 tcp

Files

memory/1524-132-0x0000000000580000-0x0000000000604000-memory.dmp

memory/1524-133-0x00007FFF257C0000-0x00007FFF26281000-memory.dmp

memory/1992-134-0x0000000000000000-mapping.dmp

memory/4124-135-0x0000000000000000-mapping.dmp

C:\Windows\System32\D3SD\explorer.exe

MD5 225bee869cfc364982f132a8b9320f1e
SHA1 3d13fdd4c3781a3fe0b279f5480b88150cdc1ada
SHA256 fc6402f6df918d0307ea6e033afebf90fde69ca6b74dc6af4d97423d00518c45
SHA512 e17a17f41d57dbf28fa775926e2085e19b5583c5399b2e5d36466c0d4ee70bf2eb3d3c2ae079995bcf1eee5e9c3aaa0c84fbf462dd0d8c6e5591ae2a1210a871

C:\Windows\system32\D3SD\explorer.exe

MD5 225bee869cfc364982f132a8b9320f1e
SHA1 3d13fdd4c3781a3fe0b279f5480b88150cdc1ada
SHA256 fc6402f6df918d0307ea6e033afebf90fde69ca6b74dc6af4d97423d00518c45
SHA512 e17a17f41d57dbf28fa775926e2085e19b5583c5399b2e5d36466c0d4ee70bf2eb3d3c2ae079995bcf1eee5e9c3aaa0c84fbf462dd0d8c6e5591ae2a1210a871

memory/1524-138-0x00007FFF257C0000-0x00007FFF26281000-memory.dmp

memory/4124-139-0x00007FFF257C0000-0x00007FFF26281000-memory.dmp

memory/4948-140-0x0000000000000000-mapping.dmp

memory/4124-141-0x000000001C840000-0x000000001C890000-memory.dmp

memory/4124-142-0x000000001C950000-0x000000001CA02000-memory.dmp

memory/4124-143-0x00007FFF257C0000-0x00007FFF26281000-memory.dmp