Malware Analysis Report

2025-04-14 05:06

Sample ID 230123-xem39sgc8y
Target BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe
SHA256 bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c

Threat Level: Known bad

The file BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-23 18:46

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-23 18:46

Reported

2023-01-23 18:48

Platform

win10v2004-20221111-en

Max time kernel

64s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe

"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 77.83.242.206:4782 tcp
N/A 72.21.81.240:80 tcp
N/A 77.83.242.206:4782 tcp
N/A 8.8.8.8:53 tools.keycdn.com udp
N/A 185.172.148.96:443 tools.keycdn.com tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 64.185.227.155:443 api.ipify.org tcp
N/A 104.80.225.205:443 tcp
N/A 72.21.81.240:80 tcp
N/A 72.21.81.240:80 tcp

Files

memory/4912-132-0x0000000000C40000-0x0000000000CC4000-memory.dmp

memory/4912-133-0x00007FF80F660000-0x00007FF810121000-memory.dmp

memory/4812-134-0x0000000000000000-mapping.dmp

memory/1396-135-0x0000000000000000-mapping.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 25143aaeca811f4e42df904f96d6fc03
SHA1 2970f0d3a80dfcb65e39f6e015034e83e6476bd4
SHA256 bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
SHA512 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3

C:\Windows\system32\SubDir\Client.exe

MD5 25143aaeca811f4e42df904f96d6fc03
SHA1 2970f0d3a80dfcb65e39f6e015034e83e6476bd4
SHA256 bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
SHA512 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3

memory/4912-138-0x00007FF80F660000-0x00007FF810121000-memory.dmp

memory/1396-139-0x00007FF80F660000-0x00007FF810121000-memory.dmp

memory/4272-140-0x0000000000000000-mapping.dmp

memory/1396-141-0x000000001C910000-0x000000001C960000-memory.dmp

memory/1396-142-0x000000001CA20000-0x000000001CAD2000-memory.dmp

memory/1396-143-0x00007FF80F660000-0x00007FF810121000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-23 18:46

Reported

2023-01-23 18:48

Platform

win7-20221111-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\SubDir C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Windows\system32\SubDir\Client.exe N/A
File opened for modification C:\Windows\system32\SubDir C:\Windows\system32\SubDir\Client.exe N/A
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe

"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp
N/A 77.83.242.206:4782 tcp

Files

memory/1588-54-0x00000000002D0000-0x0000000000354000-memory.dmp

memory/1588-55-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp

memory/1156-56-0x0000000000000000-mapping.dmp

memory/1776-57-0x0000000000000000-mapping.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 25143aaeca811f4e42df904f96d6fc03
SHA1 2970f0d3a80dfcb65e39f6e015034e83e6476bd4
SHA256 bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
SHA512 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3

C:\Windows\system32\SubDir\Client.exe

MD5 25143aaeca811f4e42df904f96d6fc03
SHA1 2970f0d3a80dfcb65e39f6e015034e83e6476bd4
SHA256 bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
SHA512 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3

memory/1776-60-0x0000000000EE0000-0x0000000000F64000-memory.dmp

memory/1760-62-0x0000000000000000-mapping.dmp