Overview

overview

10

Static

static

10

Quasar v1....e.html

windows10-1703-x64

1

Quasar v1....to.dll

windows10-1703-x64

1

Quasar v1....ok.dll

windows10-1703-x64

1

Quasar v1....db.dll

windows10-1703-x64

1

Quasar v1....db.dll

windows10-1703-x64

1

Quasar v1....ks.dll

windows10-1703-x64

1

Quasar v1....il.dll

windows10-1703-x64

1

Quasar v1....at.dll

windows10-1703-x64

1

Quasar v1....on.dll

windows10-1703-x64

1

Quasar v1....ar.exe

windows10-1703-x64

10

Quasar v1....xe.xml

windows10-1703-x64

1

Quasar v1....ib.dll

windows10-1703-x64

1

Quasar v1....nt.exe

windows10-1703-x64

10

Quasar v1....et.dll

windows10-1703-x64

1

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-05-2023 22:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quasar v1.4.1/Quasar.exe

  • Size

    1.2MB

  • MD5

    12ebf922aa80d13f8887e4c8c5e7be83

  • SHA1

    7f87a80513e13efd45175e8f2511c2cd17ff51e8

  • SHA256

    43315abb9c8be9a39782bd8694a7ea9f16a867500dc804454d04b8bf2c15c51e

  • SHA512

    fda5071e15cf077d202b08db741bbfb3dbd815acc41deec7b7d44e055cac408e2f2de7233f8f9c5c618afd00ffc2fc4c6e8352cbdf18f9aab55d980dcb58a275

  • SSDEEP

    12288:IwPs012cBBBYiL9l/bFfpBBBBBBBBBBBBcA:jBBBYiLvzFfpBBBBBBBBBBBBcA

Score
10/10
quasarspywaretrojan

Malware Config

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 59 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Quasar.exe
    "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\Quasar.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4100
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" /select, "C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\quasar.p12"
      2⤵
        PID:864
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2484
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        2⤵
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4620
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.0.210545785\1019315393" -parentBuildID 20221007134813 -prefsHandle 1612 -prefMapHandle 1600 -prefsLen 20810 -prefMapSize 232645 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12f66eab-071f-4994-85c3-156465ae7c99} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 1704 28046803258 gpu
          3⤵
            PID:2952
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.1.2027843983\764840020" -parentBuildID 20221007134813 -prefsHandle 2060 -prefMapHandle 2056 -prefsLen 20891 -prefMapSize 232645 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f935094-33c8-4249-85af-ce2ec02d3669} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 2072 280455fa258 socket
            3⤵
            • Checks processor information in registry
            PID:1300
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.2.1315099996\22904753" -childID 1 -isForBrowser -prefsHandle 2688 -prefMapHandle 2924 -prefsLen 21039 -prefMapSize 232645 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0ebaa4c-4075-45cf-b19e-ef9bb1f18b06} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 2660 28049550858 tab
            3⤵
              PID:1564
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.3.1582689135\1643639101" -childID 2 -isForBrowser -prefsHandle 3180 -prefMapHandle 3176 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63119031-c5d7-4422-9a9a-0edd87372646} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 3188 2803aa5e258 tab
              3⤵
                PID:4396
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.4.214488625\2082180990" -childID 3 -isForBrowser -prefsHandle 3728 -prefMapHandle 3724 -prefsLen 26484 -prefMapSize 232645 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9b754a1-6f5e-4a2c-9d67-0a4293df2e9a} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 3740 2803aa5b258 tab
                3⤵
                  PID:5020
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.6.802060433\420477328" -childID 5 -isForBrowser -prefsHandle 4816 -prefMapHandle 4820 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43fa4c16-84bb-444d-8609-02c6a487f348} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 4812 2804ba5bc58 tab
                  3⤵
                    PID:1804
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.7.1528844502\1522572703" -childID 6 -isForBrowser -prefsHandle 5012 -prefMapHandle 5084 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9450c7d-9dad-4643-8e5c-2d1e8eccdcd4} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 5096 2804ba5bf58 tab
                    3⤵
                      PID:1756
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4620.5.1546382007\630235137" -childID 4 -isForBrowser -prefsHandle 4664 -prefMapHandle 4624 -prefsLen 26543 -prefMapSize 232645 -jsInitHandle 1184 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e849f178-16a0-4c77-a3c6-139832bc154c} 4620 "\\.\pipe\gecko-crash-server-pipe.4620" 4672 2804ba5a758 tab
                      3⤵
                        PID:1988
                  • C:\Windows\explorer.exe
                    C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                    1⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious use of SetWindowsHookEx
                    PID:1256
                  • C:\Windows\System32\rundll32.exe
                    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                    1⤵
                      PID:2032

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    System Information Discovery

                    2
                    T1082

                    Query Registry

                    2
                    T1012

                    Lateral Movement

                    Collection

                    Exfiltration

                    Command and Control

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\oqpbz544.default-release\activity-stream.discovery_stream.json.tmp
                      Filesize

                      141KB

                      MD5

                      c281c95088be82f4f0ab4650c3a77b05

                      SHA1

                      812f9e86dbdc01a0b58d12821b225d17cf54381a

                      SHA256

                      8c53feea6f8146fbe95b451bb8d103837303e2655b22db63a37ccd6ac51e6ee1

                      SHA512

                      7f61d40745b65aee44bd05d7ea4d82a6f34789087f29d5a1b02e7407b4b755005e6acc8735c5fac2624abed800bce71805fc905169a8aa1611d90ff5758f6f00

                      Download Submit
                    • C:\Users\Admin\AppData\Local\Temp\Quasar v1.4.1\quasar.p12
                      Filesize

                      4KB

                      MD5

                      36cfb73a419af58bf47f4f3ae8fe7bc8

                      SHA1

                      4f07bc98f0e27e8de67bc455ed573b46e35125d6

                      SHA256

                      fd1b970a845ae5f20fdca035ad2fc21e700c6a73376d399d579e7c89ba6084d9

                      SHA512

                      6df799bbd0a0998f2281b896466b7854132ada7b126d89ae19b68d56ff2874f332db4c55bc5711bc684e4410aee8bd6ef7db47b35ceaf542217af0da5658e3aa

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\prefs.js
                      Filesize

                      6KB

                      MD5

                      cdb5a91b7898f75f98e448e80b41dba6

                      SHA1

                      c749651f98e32a2320d2e52fd467fd6217660535

                      SHA256

                      ed56bd19352777293cf7195af0fe1412d52e25af6a9a8e2bb04e3e32056556dc

                      SHA512

                      b99bca03a398f7e068691852106fe03a90489d1e8230720749c25703e59874765ef706e9e27c9215251372efee84d9c9d0eb636a54e45035d5d2095304fee97b

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionCheckpoints.json.tmp
                      Filesize

                      259B

                      MD5

                      c8dc58eff0c029d381a67f5dca34a913

                      SHA1

                      3576807e793473bcbd3cf7d664b83948e3ec8f2d

                      SHA256

                      4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

                      SHA512

                      b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

                      Download Submit
                    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\oqpbz544.default-release\sessionstore.jsonlz4
                      Filesize

                      883B

                      MD5

                      a891ac572dc4f13eb5e88a75309b4578

                      SHA1

                      8c64beeb174ef06e47866b066b5389b3ab93b804

                      SHA256

                      a2184929c8b63a0c17a921e8a3b0afc8aff5c750005271ade5738a80a063e338

                      SHA512

                      2b66e09871601d5d00dd8add071cb77b7c6cd35e541ffe2707c7641395a208bfb3b11e2bd3e39a7c1d173ae75f506607eeeab6d1c071429e0220ea863f0fd0b3

                      Download Submit
                    • memory/4100-123-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-122-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-126-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-127-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-128-0x000002C540DA0000-0x000002C5410CE000-memory.dmp
                      Filesize

                      3.2MB

                      Download
                    • memory/4100-124-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-119-0x000002C523740000-0x000002C523878000-memory.dmp
                      Filesize

                      1.2MB

                      Download
                    • memory/4100-125-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-121-0x000002C53DE30000-0x000002C53DE40000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/4100-120-0x000002C5254B0000-0x000002C5254C6000-memory.dmp
                      Filesize

                      88KB

                      Download
                    • memory/4100-353-0x000002C5400E0000-0x000002C5400F8000-memory.dmp
                      Filesize

                      96KB

                      Download
                    • memory/4100-354-0x000002C540D00000-0x000002C540D50000-memory.dmp
                      Filesize

                      320KB

                      Download
                    • memory/4100-355-0x000002C542950000-0x000002C542A02000-memory.dmp
                      Filesize

                      712KB

                      Download
                    • memory/4100-356-0x000002C5401F0000-0x000002C54023C000-memory.dmp
                      Filesize

                      304KB

                      Download