quasar | e3c05e377bb3d08792a47d2d04488df5048549e96939a7207c5ef14015d2c329

Analysis

max time kernel
30s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20230703-it
resource tags

arch:x64arch:x86image:win10v2004-20230703-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
05-07-2023 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quasar.exe
Size

3.1MB
MD5

8b0270a1fe2e8b6d98bd29ce11d18f9c
SHA1

a64f7a329f2e741d6ce6a3dd3a66023e4885f8c7
SHA256

e3c05e377bb3d08792a47d2d04488df5048549e96939a7207c5ef14015d2c329
SHA512

52e7f3ace9b489729fa8a0434dd362f88e5af8ec34c36b8f40f05fa8fcbc8316ec1e578d8cc6ea2ae9a1e7c7b06ace205f354562988b4428f34066f17589d168
SSDEEP

49152:Xv9z92YpaQI6oPZlhP3ReybewoMdRJ6XbR3LoGdasTHHB72eh2NT:XvV92YpaQI6oPZlhP3YybewoMdRJ6pK

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.56.1:4782

93.35.198.71:4782

7.tcp.eu.ngrok.io:14313:25565

Mutex

63eac64e-75b2-49ce-8a2e-3d1114815132

Attributes

encryption_key
4C728E4D527117B7094ADC3922AFF7A3BF47EF70
install_name
WinSysUpdate.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
WinSysAnalisis

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/4156-133-0x00000000008A0000-0x0000000000BC4000-memory.dmp	family_quasar
behavioral1/files/0x00070000000231c0-138.dat	family_quasar
behavioral1/files/0x00070000000231c0-140.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
4032	WinSysUpdate.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3904	schtasks.exe
3472	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4156	quasar.exe
Token: SeDebugPrivilege	4032	WinSysUpdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4032	WinSysUpdate.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 3904	4156	quasar.exe	81
PID 4156 wrote to memory of 3904	4156	quasar.exe	81
PID 4156 wrote to memory of 4032	4156	quasar.exe	82
PID 4156 wrote to memory of 4032	4156	quasar.exe	82
PID 4032 wrote to memory of 3472	4032	WinSysUpdate.exe	84
PID 4032 wrote to memory of 3472	4032	WinSysUpdate.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\quasar.exe
C:\Users\Admin\AppData\Local\Temp\quasar.exe quasar.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WinSysAnalisis\WinSysUpdate.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:3904
- C:\Users\Admin\AppData\Roaming\WinSysAnalisis\WinSysUpdate.exe
  "C:\Users\Admin\AppData\Roaming\WinSysAnalisis\WinSysUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\WinSysAnalisis\WinSysUpdate.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:3472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WinSysAnalisis\WinSysUpdate.exe

Filesize
3.1MB

MD5
8b0270a1fe2e8b6d98bd29ce11d18f9c

SHA1
a64f7a329f2e741d6ce6a3dd3a66023e4885f8c7

SHA256
e3c05e377bb3d08792a47d2d04488df5048549e96939a7207c5ef14015d2c329

SHA512
52e7f3ace9b489729fa8a0434dd362f88e5af8ec34c36b8f40f05fa8fcbc8316ec1e578d8cc6ea2ae9a1e7c7b06ace205f354562988b4428f34066f17589d168

Download Submit
C:\Users\Admin\AppData\Roaming\WinSysAnalisis\WinSysUpdate.exe

Filesize
3.1MB

MD5
8b0270a1fe2e8b6d98bd29ce11d18f9c

SHA1
a64f7a329f2e741d6ce6a3dd3a66023e4885f8c7

SHA256
e3c05e377bb3d08792a47d2d04488df5048549e96939a7207c5ef14015d2c329

SHA512
52e7f3ace9b489729fa8a0434dd362f88e5af8ec34c36b8f40f05fa8fcbc8316ec1e578d8cc6ea2ae9a1e7c7b06ace205f354562988b4428f34066f17589d168

Download Submit
memory/4032-141-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4032-142-0x000000001DB70000-0x000000001DBC0000-memory.dmp

Filesize
320KB

Download
memory/4032-143-0x000000001DC80000-0x000000001DD32000-memory.dmp

Filesize
712KB

Download
memory/4032-144-0x000000001B7B0000-0x000000001B7C0000-memory.dmp

Filesize
64KB

Download
memory/4156-133-0x00000000008A0000-0x0000000000BC4000-memory.dmp

Filesize
3.1MB

Download
memory/4156-134-0x000000001B7D0000-0x000000001B7E0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads