Analysis Overview
SHA256
bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c
Threat Level: Known bad
The file BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe was found to be: Known bad.
Malicious Activity Summary
Quasar RAT
Quasar family
Quasar payload
Executes dropped EXE
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-23 18:46
Signatures
Quasar family
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-23 18:46
Reported
2023-01-23 18:48
Platform
win10v2004-20221111-en
Max time kernel
64s
Max time network
137s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Windows\system32\SubDir\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\Client.exe | N/A |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4912 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4912 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 4912 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | C:\Windows\system32\SubDir\Client.exe |
| PID 4912 wrote to memory of 1396 | N/A | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | C:\Windows\system32\SubDir\Client.exe |
| PID 1396 wrote to memory of 4272 | N/A | C:\Windows\system32\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
| PID 1396 wrote to memory of 4272 | N/A | C:\Windows\system32\SubDir\Client.exe | C:\Windows\SYSTEM32\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe
"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 8.8.8.8:53 | tools.keycdn.com | udp |
| N/A | 185.172.148.96:443 | tools.keycdn.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 64.185.227.155:443 | api.ipify.org | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 72.21.81.240:80 | tcp | |
| N/A | 72.21.81.240:80 | tcp |
Files
memory/4912-132-0x0000000000C40000-0x0000000000CC4000-memory.dmp
memory/4912-133-0x00007FF80F660000-0x00007FF810121000-memory.dmp
memory/4812-134-0x0000000000000000-mapping.dmp
memory/1396-135-0x0000000000000000-mapping.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 25143aaeca811f4e42df904f96d6fc03 |
| SHA1 | 2970f0d3a80dfcb65e39f6e015034e83e6476bd4 |
| SHA256 | bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c |
| SHA512 | 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3 |
C:\Windows\system32\SubDir\Client.exe
| MD5 | 25143aaeca811f4e42df904f96d6fc03 |
| SHA1 | 2970f0d3a80dfcb65e39f6e015034e83e6476bd4 |
| SHA256 | bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c |
| SHA512 | 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3 |
memory/4912-138-0x00007FF80F660000-0x00007FF810121000-memory.dmp
memory/1396-139-0x00007FF80F660000-0x00007FF810121000-memory.dmp
memory/4272-140-0x0000000000000000-mapping.dmp
memory/1396-141-0x000000001C910000-0x000000001C960000-memory.dmp
memory/1396-142-0x000000001CA20000-0x000000001CAD2000-memory.dmp
memory/1396-143-0x00007FF80F660000-0x00007FF810121000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-23 18:46
Reported
2023-01-23 18:48
Platform
win7-20221111-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Quasar RAT
Quasar payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\SubDir | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Windows\system32\SubDir\Client.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir | C:\Windows\system32\SubDir\Client.exe | N/A |
| File created | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
| File opened for modification | C:\Windows\system32\SubDir\Client.exe | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\SubDir\Client.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe
"C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\BF45D2F0B91865FC40060820980C9CF3A02C0CD42788B.exe" /rl HIGHEST /f
C:\Windows\system32\SubDir\Client.exe
"C:\Windows\system32\SubDir\Client.exe"
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f
Network
| Country | Destination | Domain | Proto |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp | |
| N/A | 77.83.242.206:4782 | tcp |
Files
memory/1588-54-0x00000000002D0000-0x0000000000354000-memory.dmp
memory/1588-55-0x000007FEFBD41000-0x000007FEFBD43000-memory.dmp
memory/1156-56-0x0000000000000000-mapping.dmp
memory/1776-57-0x0000000000000000-mapping.dmp
C:\Windows\System32\SubDir\Client.exe
| MD5 | 25143aaeca811f4e42df904f96d6fc03 |
| SHA1 | 2970f0d3a80dfcb65e39f6e015034e83e6476bd4 |
| SHA256 | bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c |
| SHA512 | 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3 |
C:\Windows\system32\SubDir\Client.exe
| MD5 | 25143aaeca811f4e42df904f96d6fc03 |
| SHA1 | 2970f0d3a80dfcb65e39f6e015034e83e6476bd4 |
| SHA256 | bf45d2f0b91865fc40060820980c9cf3a02c0cd42788bc954c8a84a81111d42c |
| SHA512 | 06526d154a406700b4e57142bb4d51db33e7600e05e13b83f0059babc6e867ae8b2a5616ca7cf5fbb564f49304eda0d5bf7c5f89d30a7ea3998dcb2045aa21a3 |
memory/1776-60-0x0000000000EE0000-0x0000000000F64000-memory.dmp
memory/1760-62-0x0000000000000000-mapping.dmp