quasar | 641a1a8dd5377977e5d961268e88b5cfcaa679191cbf0ea34a53f8132a342b0f

Analysis

max time kernel
137s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 12:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe
Size

11.3MB
MD5

7b79bbfe338448b0de666215060d2cbc
SHA1

d8ca513e1e85e1a8dd6a81824f86064fad19419a
SHA256

150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03
SHA512

e621286081db8ea041aaf148b233d52d8c4fdfd5ef0fa5327e17622ff3e19d8c6b6c25881b3f396e93c7aaacd0ed3e3baca7be59a508a5232534e3f777a99e50
SSDEEP

196608:ChTb9B0BPrDz4pxgZZPy5RmStgxb/z6FDiSJXqeUh4mT+uFk8spbVgo87e8YU:sTb9epDz4MZZ4RmxYDiScfhHjeV+vK8Y

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.1.237:4782

Mutex

08ac4250-96f9-44da-b030-99dcc4597b28

Attributes

encryption_key
D43A8C9C8C9A74741CBEA4F1A01C53C2F8DF8AC2
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/3472-145-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe
Token: SeDebugPrivilege	3472	RegAsm.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3472	RegAsm.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3472	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91
PID 3028 wrote to memory of 3472	3028	150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe	91

C:\Users\Admin\AppData\Local\Temp\150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe
"C:\Users\Admin\AppData\Local\Temp\150169f8a2862e4c977fe99b4d6a1af4e2169deae6d76d64434af35633c01e03.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-133-0x0000000000BA0000-0x00000000016F6000-memory.dmp

Filesize
11.3MB

Download
memory/3028-134-0x00000000061E0000-0x00000000061FA000-memory.dmp

Filesize
104KB

Download
memory/3028-135-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/3028-136-0x0000000008C80000-0x0000000008CF6000-memory.dmp

Filesize
472KB

Download
memory/3028-137-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3028-138-0x000000000A2B0000-0x000000000A2B8000-memory.dmp

Filesize
32KB

Download
memory/3028-139-0x0000000007A20000-0x0000000007A28000-memory.dmp

Filesize
32KB

Download
memory/3028-140-0x000000000A4C0000-0x000000000A4DE000-memory.dmp

Filesize
120KB

Download
memory/3028-141-0x000000000AF80000-0x000000000B524000-memory.dmp

Filesize
5.6MB

Download
memory/3028-142-0x000000000AAB0000-0x000000000AB42000-memory.dmp

Filesize
584KB

Download
memory/3028-143-0x0000000008810000-0x000000000881A000-memory.dmp

Filesize
40KB

Download
memory/3028-144-0x00000000022F0000-0x0000000002300000-memory.dmp

Filesize
64KB

Download
memory/3472-145-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/3472-147-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download
memory/3472-148-0x0000000006EA0000-0x00000000074B8000-memory.dmp

Filesize
6.1MB

Download
memory/3472-149-0x0000000006A30000-0x0000000006A80000-memory.dmp

Filesize
320KB

Download
memory/3472-150-0x0000000006C90000-0x0000000006D42000-memory.dmp

Filesize
712KB

Download
memory/3472-151-0x00000000056D0000-0x00000000056E0000-memory.dmp

Filesize
64KB

Download