Malware Analysis Report

2025-04-14 05:07

Sample ID 221229-lvgqmsfh7t
Target QuasarAplicativo.exe
SHA256 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7

Threat Level: Known bad

The file QuasarAplicativo.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-12-29 09:51

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-29 09:51

Reported

2022-12-29 09:53

Platform

win7-20220901-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe

"C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\windows\svchost.exe

"C:\Users\Admin\AppData\Roaming\windows\svchost.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\svchost.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 flingmodder-53370.portmap.io udp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp

Files

memory/1468-54-0x0000000001080000-0x0000000001104000-memory.dmp

memory/1468-55-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

memory/1160-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows\svchost.exe

MD5 bbd0db3230e57aeb7ca23e59aadf0134
SHA1 fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA512 4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3

memory/1544-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows\svchost.exe

MD5 bbd0db3230e57aeb7ca23e59aadf0134
SHA1 fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA512 4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3

memory/1544-60-0x0000000000C40000-0x0000000000CC4000-memory.dmp

memory/1648-62-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-29 09:51

Reported

2022-12-29 09:53

Platform

win10v2004-20221111-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\windows\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\windows\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe

"C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\QuasarAplicativo.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\windows\svchost.exe

"C:\Users\Admin\AppData\Roaming\windows\svchost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\windows\svchost.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 flingmodder-53370.portmap.io udp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 93.184.220.29:80 tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 104.80.225.205:443 tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp
N/A 193.161.193.99:53370 flingmodder-53370.portmap.io tcp

Files

memory/2420-132-0x00000000001C0000-0x0000000000244000-memory.dmp

memory/2420-133-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

memory/2216-134-0x0000000000000000-mapping.dmp

memory/4996-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\windows\svchost.exe

MD5 bbd0db3230e57aeb7ca23e59aadf0134
SHA1 fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA512 4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3

C:\Users\Admin\AppData\Roaming\windows\svchost.exe

MD5 bbd0db3230e57aeb7ca23e59aadf0134
SHA1 fdda0bfd08bbd74557dd878bda12f05368befb7d
SHA256 741a3f8b91ad8ef7bf2936bafddb95200b0f3083a6933d1d82c278baaa6ec9c7
SHA512 4393b5dcac40f0b36bf85e50f66ed299a95c298b5c8e4853aae8e5f84ab7d2cb64a989728b21135e2730afaddd60002872e517e8b67b68085f97345ff4a6baf3

memory/2420-138-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

memory/4996-139-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp

memory/2492-140-0x0000000000000000-mapping.dmp

memory/4996-141-0x000000001B580000-0x000000001B5D0000-memory.dmp

memory/4996-142-0x000000001BEC0000-0x000000001BF72000-memory.dmp

memory/4996-143-0x00007FF84FDF0000-0x00007FF8508B1000-memory.dmp