Malware Analysis Report

2025-01-18 04:25

Sample ID 231202-fnm17ahh9t
Target Mercuri Update.exe
SHA256 948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

948d003947b71983cf3c828c73d3945bdb82520d8c6bbfa403ff6a7bb4231dac

Threat Level: Known bad

The file Mercuri Update.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar payload

Quasar family

Quasar RAT

Enumerates physical storage devices

Unsigned PE

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-02 05:01

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-02 05:01

Reported

2023-12-02 05:15

Platform

win10-20231023-en

Max time kernel

125s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe C:\Windows\system32\cmd.exe
PID 5088 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe C:\Windows\system32\cmd.exe
PID 3200 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3200 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3200 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3200 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe

"C:\Users\Admin\AppData\Local\Temp\Mercuri Update.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 vxc-63595.portmap.host udp
DE 193.161.193.99:63595 vxc-63595.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/5088-0-0x0000000000FB0000-0x00000000012D4000-memory.dmp

memory/5088-1-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp

memory/5088-2-0x000000001C060000-0x000000001C070000-memory.dmp

memory/5088-3-0x000000001BFE0000-0x000000001C030000-memory.dmp

memory/5088-4-0x000000001C430000-0x000000001C4E2000-memory.dmp

memory/5088-7-0x000000001C3B0000-0x000000001C3C2000-memory.dmp

memory/5088-8-0x000000001D120000-0x000000001D15E000-memory.dmp

memory/5088-9-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp

memory/5088-14-0x00007FFD495B0000-0x00007FFD49F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tkvvM4I2sU0P.bat

MD5 aa450b4fd43f987a01d27ccef08c61cd
SHA1 5bbeb936b0302ad3694c6d717c547dcfbcd62645
SHA256 557ecc72766c3b881cc38771c193cf7ac7c664a600654cfba4c6bb436e6868fd
SHA512 822f3fcbb07d075330b7faf590164437ead94b93c6709505e2a8f16e87dfb0b3e4ab33eb8fb4ac8b835deba7fb61457dcd7f73cb6512a9684c5cc9314ffcb163