quasar | 09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-02-2023 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
Size

6.6MB
MD5

81e1869c9f3495afba6c21bf71a10292
SHA1

b5c056e5cc14b88d5115a47a86b8df43c6b6eed1
SHA256

09c580ea4063cb2f16bce177151628d3e9c04a87ba2c0bcb7e6d1d588b8563ed
SHA512

8717f6db2c25eef0daba503270787e6590a4aaf3b6cfd622f1da2907a212e42e12394731d8a6b0486024c2e71677574011d25340870786f0551acee92402fe24
SSDEEP

196608:XqMIY4MLN9onJ5hrZEK3e9tGPqK6wTbPfFwc5CVsf5:gup9c5hlEK/PN6w3XCVm

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

91.209.226.129:4477

Mutex

aab8fb23-9414-4086-92a8-8f9df7355991

Attributes

encryption_key
115C3BBD6300A13A8593E1EA090433CDAA8539CA
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2000-68-0x0000000004390000-0x0000000004414000-memory.dmp	family_quasar

Loads dropped DLL 4 IoCs

Processes:

09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe

pid	process
2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe

description	pid	process
Token: 35	2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
Token: SeDebugPrivilege	2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
Token: SeDebugPrivilege	2000	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe

description	pid	process	target process
PID 1996 wrote to memory of 2000	1996	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
PID 1996 wrote to memory of 2000	1996	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
PID 1996 wrote to memory of 2000	1996	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe	09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe

C:\Users\Admin\AppData\Local\Temp\09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
"C:\Users\Admin\AppData\Local\Temp\09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe
"C:\Users\Admin\AppData\Local\Temp\09C580EA4063CB2F16BCE177151628D3E9C04A87BA2C0.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19962\VCRUNTIME140.dll
Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\_ctypes.pyd
Filesize
129KB

MD5
5e869eebb6169ce66225eb6725d5be4a

SHA1
747887da0d7ab152e1d54608c430e78192d5a788

SHA256
430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173

SHA512
feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\base_library.zip
Filesize
777KB

MD5
ca531de5744f22c704de726bd3353404

SHA1
bc19aa77ad9bbac86bae3a7209bca5fc2d602ed3

SHA256
a50f524eed66843246d6fdb765fb5a96c33b4aa4aab2efda7c11592c2ef80606

SHA512
42e19ee714e2d7de0ed29645d21c50946abd90cec29d04bf1a6a7fba26cbe664b1c3bae55fa011b58d7ea33736e2a1667615abc93ad89f976591d8ccfcf4ff2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\python37.dll
Filesize
3.6MB

MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19962\pywintypes37.dll
Filesize
133KB

MD5
f9d8093503c0eb02a2d30db794dbaa81

SHA1
d11ac482caef0a4f3b008644e34b5c962c69a3af

SHA256
47cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869

SHA512
c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19962\VCRUNTIME140.dll
Filesize
85KB

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19962\_ctypes.pyd
Filesize
129KB

MD5
5e869eebb6169ce66225eb6725d5be4a

SHA1
747887da0d7ab152e1d54608c430e78192d5a788

SHA256
430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173

SHA512
feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19962\python37.dll
Filesize
3.6MB

MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI19962\pywintypes37.dll
Filesize
133KB

MD5
f9d8093503c0eb02a2d30db794dbaa81

SHA1
d11ac482caef0a4f3b008644e34b5c962c69a3af

SHA256
47cfa248363c3e5e3c2fcd847bd73435890bac14c3403f2841fd5e138f936869

SHA512
c4ce86cecef6e2b3785f076667381f3e8e4b7d9e6e7c9e48d2fedde83670df61c51bdd852c3fadc826bee6025d9c22a1cd2f1ba255a7123047ac11e2ed262fdc

Download Submit
memory/1996-54-0x000007FEFBBA1000-0x000007FEFBBA3000-memory.dmp

Filesize
8KB

Download
memory/2000-55-0x0000000000000000-mapping.dmp

Download
memory/2000-66-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/2000-67-0x0000000003B30000-0x0000000003B38000-memory.dmp

Filesize
32KB

Download
memory/2000-68-0x0000000004390000-0x0000000004414000-memory.dmp

Filesize
528KB

Download
memory/2000-69-0x0000000004270000-0x00000000042F7000-memory.dmp

Filesize
540KB

Download