Malware Analysis Report

2025-01-18 04:35

Sample ID 231222-3e4c5sdfen
Target aabb.exe
SHA256 644b2903e1c8b5d6b63335e409b1d624e1bdf620de4bacab2d54c0bef69e5dae
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

644b2903e1c8b5d6b63335e409b1d624e1bdf620de4bacab2d54c0bef69e5dae

Threat Level: Known bad

The file aabb.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar RAT

Quasar family

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 23:26

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 23:26

Reported

2023-12-22 23:29

Platform

win10v2004-20231215-en

Max time kernel

131s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aabb.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aabb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\aabb.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4812 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\aabb.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4812 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\aabb.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4812 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\aabb.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4680 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4680 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4680 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4680 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4680 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4680 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3576 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3576 wrote to memory of 2300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3576 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3576 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aabb.exe

"C:\Users\Admin\AppData\Local\Temp\aabb.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Counter Strike Global Offensive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Counter Strike Global Offensive" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /delete /tn "Counter Strike Global Offensive" /f

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qBSJqcjwth62.bat" "

C:\Windows\system32\PING.EXE

ping -n 10 localhost

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.102.39:15683 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 39.102.125.3.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/4812-0-0x0000000000790000-0x0000000000AB4000-memory.dmp

memory/4812-1-0x00007FFD5B8F0000-0x00007FFD5C3B1000-memory.dmp

memory/4812-2-0x000000001B770000-0x000000001B780000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 ae40b244c39e229d0dee23c03e383cd4
SHA1 dd0b7106b18815e3f2c986d7fbf4d022896670e3
SHA256 d3af84bbd4667e89e783f052c5c91728499842d492af84c8b579272df7178d14
SHA512 1f3120f2f3151ec9612e59c8a743a61c3eef96cf093487acf34d770c84553a818c80021c7304b43b39cd85e437a8bd2b6ab166155b0f4d5818e97b1577f14539

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 5ec34c9f80b5f2bfe26a4b947b7ba500
SHA1 318cd1ed0cc1b871e333bc791d6394874dcbcd04
SHA256 1b0a855b348c580b37a2b386dc903f663f57c262b0673b7d64941782e33f5d3d
SHA512 b6500ba787f77be74f6d2a5f34412a67c9552b63159db4a537b64e8a335a99ebb48cba592c1784e1ec56941e1a6f9dadd5347712b77f429dab0b4bc6f87952c1

memory/4680-9-0x00007FFD5B8F0000-0x00007FFD5C3B1000-memory.dmp

memory/4812-8-0x00007FFD5B8F0000-0x00007FFD5C3B1000-memory.dmp

memory/4680-10-0x0000000003280000-0x0000000003290000-memory.dmp

memory/4680-11-0x000000001C9E0000-0x000000001CA30000-memory.dmp

memory/4680-12-0x000000001CAF0000-0x000000001CBA2000-memory.dmp

memory/4680-16-0x000000001CA90000-0x000000001CACC000-memory.dmp

memory/4680-15-0x000000001CA30000-0x000000001CA42000-memory.dmp

memory/4680-17-0x00007FFD5B8F0000-0x00007FFD5C3B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qBSJqcjwth62.bat

MD5 e855c4caed097c63615af018e9c5fef7
SHA1 1fd53aae06ca1615dd39683804e89a29cdecf26e
SHA256 593dc434488c5e732d101474874f333642a75305904bd5d468d7ed8a2c6ea62e
SHA512 18c04866bfafdd89bc7987817330d31e08fefe69a79a784a5681d9e8f0c913c0fed0888653dbbf28e28812781445611bb8666eab696e568eb32a13c9f889690f

memory/4680-23-0x00007FFD5B8F0000-0x00007FFD5C3B1000-memory.dmp