Malware Analysis Report

2025-04-14 05:06

Sample ID 230118-pgqceage99
Target 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
SHA256 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87

Threat Level: Known bad

The file 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87 was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-18 12:18

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-18 12:18

Reported

2023-01-18 12:20

Platform

win10-20220812-en

Max time kernel

53s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SubDir\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SubDir\svchost.exe C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe N/A
File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe N/A
File opened for modification C:\Windows\SysWOW64\SubDir\svchost.exe C:\Windows\SysWOW64\SubDir\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\SubDir C:\Windows\SysWOW64\SubDir\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\SubDir\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SubDir\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe

"C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SubDir\svchost.exe

"C:\Windows\SysWOW64\SubDir\svchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Windows\SysWOW64\SubDir\svchost.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 188.119.45.143:9896 tcp
N/A 8.8.8.8:53 microsoftstolewindows.duckdns.org udp
N/A 212.154.86.214:9896 microsoftstolewindows.duckdns.org tcp
N/A 20.189.173.14:443 tcp
N/A 95.101.78.82:80 tcp

Files

memory/4936-116-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-117-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-118-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-119-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-120-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-121-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-122-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-123-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-124-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-125-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-126-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-127-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-128-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-129-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-130-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-131-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-132-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-133-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-134-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-135-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-136-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-137-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-138-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-139-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-140-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-141-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-142-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-143-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-144-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-145-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-146-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-147-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-148-0x0000000000E30000-0x0000000000E8E000-memory.dmp

memory/4936-149-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-150-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-151-0x0000000005AF0000-0x0000000005FEE000-memory.dmp

memory/4936-152-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-153-0x0000000005700000-0x0000000005792000-memory.dmp

memory/4936-154-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-155-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-156-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-157-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-158-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-159-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-160-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-161-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-162-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-163-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-164-0x0000000005FF0000-0x0000000006056000-memory.dmp

memory/4936-165-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-166-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-167-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-168-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-169-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-170-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-171-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-172-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-173-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-174-0x0000000006640000-0x0000000006652000-memory.dmp

memory/4936-175-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-176-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-177-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-178-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-179-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-180-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-181-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-182-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-183-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-184-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4936-195-0x0000000006A30000-0x0000000006A6E000-memory.dmp

memory/5108-197-0x0000000000000000-mapping.dmp

memory/1720-217-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\SubDir\svchost.exe

MD5 3227a70d123b9da999bf150fdf605036
SHA1 1b959876c589dc17b0d7084a8f3017123e8568af
SHA256 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
SHA512 1c75060b544047c0a6d39822014c85bb5bba8e14b4432b2a291bc9e2b8e55c156f9736d1483f8f8f226961aa663a9fc20919e6d2812faf38ceb2f262e31ae8ae

C:\Windows\SysWOW64\SubDir\svchost.exe

MD5 3227a70d123b9da999bf150fdf605036
SHA1 1b959876c589dc17b0d7084a8f3017123e8568af
SHA256 3ecf24e572980c093d67046cf6480284f96224e3e887ef3854428e1fec0adc87
SHA512 1c75060b544047c0a6d39822014c85bb5bba8e14b4432b2a291bc9e2b8e55c156f9736d1483f8f8f226961aa663a9fc20919e6d2812faf38ceb2f262e31ae8ae

memory/696-295-0x0000000000000000-mapping.dmp

memory/1720-315-0x0000000007320000-0x000000000732A000-memory.dmp