quasar | 10c0a60ca1b17282e0853e2134e7d67b604b1b38a66677fb99ef918672be2c79

Analysis

max time kernel
38s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2023 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efbb56f8386d1881cc20a3de36686239.exe
Size

16.8MB
MD5

efbb56f8386d1881cc20a3de36686239
SHA1

b58ff7105f942a68c58cdc2fb80e3bf8d0a8de16
SHA256

10c0a60ca1b17282e0853e2134e7d67b604b1b38a66677fb99ef918672be2c79
SHA512

e2d9f182859273c9f13bdf3fd87fa5818676b1f7b41da556ac3c724ab75e50db64e7421632ca0e3d5b4d4d4f519d54484af1a3e4da919d665475a8715bc63311
SSDEEP

393216:hRwHfrE1h2ye2vmGpEeaQrg8OUEsf3iCZOuko4xgWL74hwtG1ZtJRjHYX:4HfrEKgJeehrSW3NOVoudPliZtTHYX

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

smtp.yassine-bolard.nl:72

82.65.150.176:72

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
V8QkE5vrgV4DVybE2MTP
install_name
$77Discord.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Discord
subdirectory
Discord

Signatures

Contains code to disable Windows Defender 4 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/files/0x0009000000023249-61.dat	disable_win_def
behavioral2/memory/4572-62-0x0000000000830000-0x00000000008C6000-memory.dmp	disable_win_def
behavioral2/files/0x0007000000023251-74.dat	disable_win_def
behavioral2/files/0x0007000000023251-73.dat	disable_win_def

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0009000000023249-61.dat	family_quasar
behavioral2/memory/4572-62-0x0000000000830000-0x00000000008C6000-memory.dmp	family_quasar
behavioral2/files/0x0007000000023251-74.dat	family_quasar
behavioral2/files/0x0007000000023251-73.dat	family_quasar

Nirsoft 1 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023246-27.dat	Nirsoft

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

efbb56f8386d1881cc20a3de36686239.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	efbb56f8386d1881cc20a3de36686239.exe

Executes dropped EXE 1 IoCs

Processes:

windows_defender_bypass.exe

pid	Process
1604	windows_defender_bypass.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
44	ip-api.com

Drops file in Program Files directory 12 IoCs

Processes:

windows_defender_bypass.exeefbb56f8386d1881cc20a3de36686239.exe

description	ioc	Process
File created	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Defender\Test.bat	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File opened for modification	C:\Program Files\Windows_Update	efbb56f8386d1881cc20a3de36686239.exe
File created	C:\Program Files\Windows_Update\Discord.exe	efbb56f8386d1881cc20a3de36686239.exe
File created	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Defender	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\__tmp_rar_sfx_access_check_240648562	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Defender\AdvancedRun.exe	windows_defender_bypass.exe
File created	C:\Program Files\Windows_Update\__tmp_rar_sfx_access_check_240632781	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Update\Discord.exe	efbb56f8386d1881cc20a3de36686239.exe
File opened for modification	C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe	efbb56f8386d1881cc20a3de36686239.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3172	4752	WerFault.exe	104

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4732	schtasks.exe
2592	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
1808	PING.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

windows_defender_bypass.exe

pid	Process
1604	windows_defender_bypass.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

efbb56f8386d1881cc20a3de36686239.exe

description	pid	Process	procid_target
PID 1212 wrote to memory of 1604	1212	efbb56f8386d1881cc20a3de36686239.exe	90
PID 1212 wrote to memory of 1604	1212	efbb56f8386d1881cc20a3de36686239.exe	90
PID 1212 wrote to memory of 1604	1212	efbb56f8386d1881cc20a3de36686239.exe	90

C:\Users\Admin\AppData\Local\Temp\efbb56f8386d1881cc20a3de36686239.exe
"C:\Users\Admin\AppData\Local\Temp\efbb56f8386d1881cc20a3de36686239.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Program Files\Windows_Update\windows_defender_bypass.exe
  "C:\Program Files\Windows_Update\windows_defender_bypass.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1604
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    PID:5024
  - - C:\Program Files\Windows_Defender\AdvancedRun.exe
      "C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 5024
      4⤵
      PID:3740
- - C:\Program Files\Windows_Defender\AdvancedRun.exe
    "C:\Program Files\Windows_Defender\AdvancedRun.exe" /EXEFilename test.bat /RunAs 8 /Run
    3⤵
    PID:3020
  - - C:\Program Files\Windows_Defender\AdvancedRun.exe
      "C:\Program Files\Windows_Defender\AdvancedRun.exe" /SpecialRun 14001f2b0 3020
      4⤵
      PID:2804
- C:\Program Files\Windows_Update\Discord.exe
  "C:\Program Files\Windows_Update\Discord.exe" -pKazutoSan72@$%?:YB381#4PcVh9!0LqF5
  2⤵
  PID:1564
- - C:\Program Files\Windows_Defender\$77-Venom.exe
    "C:\Program Files\Windows_Defender\$77-Venom.exe"
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Program Files\Windows_Defender\$77-Venom.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:4732
  - - C:\Windows\SysWOW64\Discord\$77Discord.exe
      "C:\Windows\SysWOW64\Discord\$77Discord.exe"
      4⤵
      PID:4752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\SysWOW64\Discord\$77Discord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XTKZCmWdLsmp.bat" "
        5⤵
        
        PID:4712
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 10 localhost
        6⤵
        Runs ping.exe
        
        PID:1808
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2952
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1996
        5⤵
        Program crash
        
        PID:3172
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4752 -ip 4752
1⤵
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows_Defender\$77-Venom.exe

Filesize
576KB

MD5
d33530be695abbae61885800b8dae773

SHA1
ff5c3f69b71ddcf20948d16e2a1a1602f54c9f69

SHA256
f650c17d393c32c30f3ba1e34bc981f5ec4357a2e2084752b2e47b3d72ca4676

SHA512
83c6828e113ef193a0ba10f8dd6790107821515e82ac3724da224f6b47eaf35a321583c99a20757a4e89a1d50f59e6dd349bfc5c3d5394361fe9510eeac146f1

Download Submit
C:\Program Files\Windows_Defender\AdvancedRun.exe

Filesize
148KB

MD5
fd048f729a521a51273897c937b0a132

SHA1
3ba5137721c135fe125f9667c45b01b9728d21ed

SHA256
71750e4d22b7a41ed8e5b1525e56e2c884a6d8170cae21636e8c201e555fa1e4

SHA512
9a04ab8b0f9dd4a9e8cd5f8c1a2fb66a3b3328da0ed026484f1c508a45e282128dc95278a886d51627a78bf07649dddfa259db2a8debd01eb92e9b568beb75ec

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
2.2MB

MD5
1271bae04138b77596b20a0bbab20d6b

SHA1
25ab11ca633ebeaa9e7b4a15e850b059df094572

SHA256
d3bc5277eed0a05a59e8bd4a8abd8276259f256bca2c6dbff8fab7245f0e5070

SHA512
04ebbd19c824ec1cbd1e693703489b91c89167c1c6ccf5bfb011c0820f640dfde4a300a26d9cc98dfbe498c13097807b0a7e7f7aa099e8a23681b28f62894a56

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
1.9MB

MD5
559528ed870e194c203a17fe86ccde7c

SHA1
942d097330e948daf3de189dd3b8f9e02eeab417

SHA256
907e16265dc94a442c9474bfda45644471fce09763de01411e492f7d290e8e1e

SHA512
6df203dd6bc2304a259f2dd1459e78c6527dc66a31dadf785c87f9b1abf66879b9967bf56d679521f41e2c27a900fa994c129a4089e2dc1452e6a6edbb3d1066

Download Submit
C:\Program Files\Windows_Update\Discord.exe

Filesize
357KB

MD5
6d3cc9bccbc17bc1f8f4eafdbdaffe91

SHA1
847c9c0cd3cf6dd72fcd2c83ec050c12f84a8104

SHA256
77141486c5fdd1ae847cd84cfcdc2db28a5fa588c3e0465959b7ac8b54d98774

SHA512
6ff80ddabcdfd1a8e0feba2490cf0f7000d063e7b34b87f277cf4acf29e556f419f6ca113125a2dcf0f5626f79f794095da240d540300ae950875462d6bd2696

Download Submit
C:\Program Files\Windows_Update\Windows_Defender_Bypass.exe

Filesize
339KB

MD5
bf92277e5e65c1174f446cfe4e5e9ea4

SHA1
54dd08b9405443d51006473cd78f404ccf06ee8a

SHA256
b8f59e47d92f6ec02282832a4dc0d516b5bf66c60f02f0808fe991e643e0dba5

SHA512
e8911aad42cc858ac1b56e78e9899ced4b05c0f077f6c4f1a951ea6152f30aa5bb5e04220e1d2ed59cf5493923130e2870815f915644b6ae395d3b25df985358

Download Submit
C:\Users\Admin\AppData\Local\Temp\XTKZCmWdLsmp.bat

Filesize
201B

MD5
7238a59b504b951848b5a29353907bbe

SHA1
59b88c7d74bd4e116196104a3cb4387b52a8c59b

SHA256
c694b23519af2e539d927357158b843be4ce8c33d0227bb616fcdba50543d591

SHA512
8d6db1ce2045a82a206ee301d9347bce65b8babf57778aeb19b0bfb8ed091ac026b229cc38c37462dd830fa4cbbbc758f12145bd4fcf48633c4cb546d7f8fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qlroe1d.ng2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
64KB

MD5
a0daf82f5544419fc300df14d9bcbbab

SHA1
3308f7943ad448f21db29b463926f1698d1e0180

SHA256
fbdff89abac5227772ca4eeeb523a030628c63a2d75ad76d1b6654c27e1cb52e

SHA512
fb456b3aa8ae16824023a015e950f0afc34eaf08b4d49eaabe145dff8f3859985c07289262b3640ce395a862c1ba1202de7c749e729a206c0001436c5eb6311a

Download Submit
C:\Windows\SysWOW64\Discord\$77Discord.exe

Filesize
149KB

MD5
523306e6db396d7e9abc38ed75e81e56

SHA1
4632b9ba2475bb55a707571974d2af21fc41cc5d

SHA256
accad87d86e8e5e0d69d2efd78c410745952ad10ae31576913541b8d386d3365

SHA512
a1cbef92989fc708fdc1a949c73034174e1abf059aa09658577fa0804c545bf261206c5fb2189d5f086cb7f4362ae2ca0880b458f136c1ea1e0ae6bf64c91d1f

Download Submit
memory/60-120-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/60-80-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/60-102-0x000000007F5E0000-0x000000007F5F0000-memory.dmp

Filesize
64KB

Download
memory/60-103-0x0000000006D80000-0x0000000006DB2000-memory.dmp

Filesize
200KB

Download
memory/60-118-0x00000000070D0000-0x00000000070EA000-memory.dmp

Filesize
104KB

Download
memory/60-114-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/60-119-0x0000000007140000-0x000000000714A000-memory.dmp

Filesize
40KB

Download
memory/60-76-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/60-77-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/60-79-0x0000000004FE0000-0x0000000005608000-memory.dmp

Filesize
6.2MB

Download
memory/60-104-0x000000006FFD0000-0x000000007001C000-memory.dmp

Filesize
304KB

Download
memory/60-117-0x0000000007710000-0x0000000007D8A000-memory.dmp

Filesize
6.5MB

Download
memory/60-81-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/60-82-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/60-83-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/60-121-0x00000000072D0000-0x00000000072E1000-memory.dmp

Filesize
68KB

Download
memory/60-89-0x0000000005760000-0x0000000005AB4000-memory.dmp

Filesize
3.3MB

Download
memory/60-94-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

Filesize
120KB

Download
memory/60-95-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/60-116-0x0000000006FC0000-0x0000000007063000-memory.dmp

Filesize
652KB

Download
memory/60-98-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/4572-66-0x0000000005200000-0x0000000005210000-memory.dmp

Filesize
64KB

Download
memory/4572-69-0x00000000064E0000-0x000000000651C000-memory.dmp

Filesize
240KB

Download
memory/4572-68-0x00000000060A0000-0x00000000060B2000-memory.dmp

Filesize
72KB

Download
memory/4572-67-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/4572-65-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/4572-64-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/4572-63-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4572-62-0x0000000000830000-0x00000000008C6000-memory.dmp

Filesize
600KB

Download
memory/4752-97-0x0000000006D10000-0x0000000006D1A000-memory.dmp

Filesize
40KB

Download
memory/4752-78-0x00000000057B0000-0x00000000057C0000-memory.dmp

Filesize
64KB

Download
memory/4752-75-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download