Overview

overview

10

Static

static

10

fontdrvhost.exe

windows7-x64

10

fontdrvhost.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    27-08-2023 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fontdrvhost.exe

  • Size

    3.1MB

  • MD5

    3aaaf4be968f7846cc3697959a6ba5ec

  • SHA1

    66c6de49521762033bc0f08d2fc2a18c2c678197

  • SHA256

    29f9003753e24d20e597b7c71661dadd221b011c9f14531e25e0bf1c55145123

  • SHA512

    6626e7e982e65c02fac4b9ae40f5f57e7bc4e79aaa08c9aa12d4b42f1fee0ca6449608972dbe19d634fe48cd8835f8fa5456780f62da143614b28a1f18489ecf

  • SSDEEP

    49152:fvve821/aQWl8P0lSk3aKA3Z+new/6BxyLoGd0qQTHHB72eh2NT:fvm821/aQWl8P0lSk3DA3Z+n5/5E

Score
10/10
quasarmy vmspywaretrojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

My VM

C2

server1.trustedvpnservices.com:13832

higradevpn.xyz:13832
Mutex

071e2576-e94a-492e-8303-baae1cb4641c

Attributes
  • encryption_key

    402F6F1B2F63357285F585A5880FBC2C0F468F55

  • install_name

    fontdrvhost.exe

  • log_directory

    CrashLogs

  • reconnect_delay

    3000

  • startup_key

    Usermode Font Driver Host

  • subdirectory

    C:\Windows\System32

Signatures

  • Quasar RAT

    Quasar is an open source Remote Access Tool.

    trojanspywarequasar
  • Quasar payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe
    "C:\Users\Admin\AppData\Local\Temp\fontdrvhost.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Usermode Font Driver Host" /sc ONLOGON /tr "C:\Windows\System32\fontdrvhost.exe" /rl HIGHEST /f
      2⤵
      • Creates scheduled task(s)
      PID:2804
    • C:\Windows\System32\fontdrvhost.exe
      "C:\Windows\System32\fontdrvhost.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\System32\schtasks.exe
        "schtasks" /create /tn "Usermode Font Driver Host" /sc ONLOGON /tr "C:\Windows\System32\fontdrvhost.exe" /rl HIGHEST /f
        3⤵
        • Creates scheduled task(s)
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\System32\fontdrvhost.exe
    Filesize

    3.1MB

    MD5

    3aaaf4be968f7846cc3697959a6ba5ec

    SHA1

    66c6de49521762033bc0f08d2fc2a18c2c678197

    SHA256

    29f9003753e24d20e597b7c71661dadd221b011c9f14531e25e0bf1c55145123

    SHA512

    6626e7e982e65c02fac4b9ae40f5f57e7bc4e79aaa08c9aa12d4b42f1fee0ca6449608972dbe19d634fe48cd8835f8fa5456780f62da143614b28a1f18489ecf

    Download Submit

  • C:\Windows\System32\fontdrvhost.exe
    Filesize

    3.1MB

    MD5

    3aaaf4be968f7846cc3697959a6ba5ec

    SHA1

    66c6de49521762033bc0f08d2fc2a18c2c678197

    SHA256

    29f9003753e24d20e597b7c71661dadd221b011c9f14531e25e0bf1c55145123

    SHA512

    6626e7e982e65c02fac4b9ae40f5f57e7bc4e79aaa08c9aa12d4b42f1fee0ca6449608972dbe19d634fe48cd8835f8fa5456780f62da143614b28a1f18489ecf

    Download Submit

  • memory/2332-0-0x0000000000FA0000-0x00000000012C4000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2332-1-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2332-2-0x0000000000EE0000-0x0000000000F60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2332-8-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-10-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-9-0x0000000000250000-0x0000000000574000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2504-11-0x000000001A9E0000-0x000000001AA60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2504-12-0x000007FEF6070000-0x000007FEF6A5C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-13-0x000000001A9E0000-0x000000001AA60000-memory.dmp

    Filesize

    512KB

    Download