quasar | 14df5d1e4b0be12a769c1c8ba950c4c2a192cc4f145dbe9decec59bf2706788b

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-01-2023 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

654a5edfc6d36d1d475c50a8c852f2fc.exe
Size

2.7MB
MD5

654a5edfc6d36d1d475c50a8c852f2fc
SHA1

48c4da32b00cfcaed25486b9494ec515a1773b40
SHA256

14df5d1e4b0be12a769c1c8ba950c4c2a192cc4f145dbe9decec59bf2706788b
SHA512

9ade8e74584193ddc1f853201b87fb86ba160bf3cc197d17e51109d3b6b46ba1ea658b0a161b2fc321fa12b6ff5466747cc2c0ec71f9fabdacbb356f510752ab
SSDEEP

49152:c0xDDQQGj33SmdY5sKfLeG2QRaLaOUaO1kcQu79tlTXCyza32ehyfTAm:c0RQQGj33SGmsKfLeG2QRaGOUaO1kcQ6

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

161.97.148.204:1604

Mutex

dabdfe29-55de-460b-9c36-9570f2b03a88

Attributes

encryption_key
4795EB97A05AE5F4E669D4B7FFF6608D94FC9027
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/536-54-0x00000000002B0000-0x0000000000570000-memory.dmp	family_quasar

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

654a5edfc6d36d1d475c50a8c852f2fc.exe

description pid process

Token: SeDebugPrivilege 536 654a5edfc6d36d1d475c50a8c852f2fc.exe

description	pid	process
Token: SeDebugPrivilege	536	654a5edfc6d36d1d475c50a8c852f2fc.exe

C:\Users\Admin\AppData\Local\Temp\654a5edfc6d36d1d475c50a8c852f2fc.exe
"C:\Users\Admin\AppData\Local\Temp\654a5edfc6d36d1d475c50a8c852f2fc.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-54-0x00000000002B0000-0x0000000000570000-memory.dmp

Filesize
2.8MB

Download
memory/536-55-0x000007FEFC511000-0x000007FEFC513000-memory.dmp

Filesize
8KB

Download