Malware Analysis Report

2025-01-18 04:17

Sample ID 231224-vhej7aedhq
Target 06fccbe26fa141b29fa96d8557088fd2
SHA256 14b8c6744a3ea825dd9f3381af9ceef553496d116b75f9803c6cd368f277a11b
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14b8c6744a3ea825dd9f3381af9ceef553496d116b75f9803c6cd368f277a11b

Threat Level: Known bad

The file 06fccbe26fa141b29fa96d8557088fd2 was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar RAT

Quasar family

Quasar payload

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-24 16:59

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-24 16:59

Reported

2023-12-24 19:24

Platform

win7-20231129-en

Max time kernel

149s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe

"C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe"

C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe

"C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp

Files

memory/2880-0-0x0000000001190000-0x0000000001214000-memory.dmp

memory/2880-1-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/2880-2-0x000000001B150000-0x000000001B1D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe

MD5 2a39190897614eb8346b041c637a5708
SHA1 d89460ed675249ee095a3180193ded8909d01088
SHA256 4bd2553381108e6a88f5f0b03b793c2a02da79c2312fecec71cdea6468ba61b2
SHA512 ede94304fb7bf93238acb24e9718fbd92d52a7dba0284a196b09bd41d6641a6da62a1fd0034a77b1ba75a0165a5fc1e5ac70623b318c9165d1e72cf675372ac7

memory/2768-9-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/2880-8-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/2768-10-0x000000001AF70000-0x000000001AFF0000-memory.dmp

memory/2768-7-0x0000000000020000-0x00000000000A4000-memory.dmp

C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe

MD5 2811297f9c7077672c6a0b5ad074829b
SHA1 781ae04820090c428c8092cd632ffe1a244b6f92
SHA256 c9cdc4a8b5995fb3ed82e2c33f13e71e5ffeab112b5109450bdfad7fd539174e
SHA512 8e5eb0e7126b4b68b87d6e95efe351fb636ca9b0899d10765ddb8f5077ac43f0f033f565af9b88c39f16e2838b95d87832a206ad48861f854138ad3891d8d4b1

memory/2768-11-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

memory/2768-12-0x000000001AF70000-0x000000001AFF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-24 16:59

Reported

2023-12-24 19:24

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe

"C:\Users\Admin\AppData\Local\Temp\06fccbe26fa141b29fa96d8557088fd2.exe"

C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe

"C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 192.168.1.187:6921 tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
N/A 192.168.1.187:6921 tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
N/A 192.168.1.187:6921 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
GB 88.221.134.17:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.134.17:80 tcp
US 93.184.221.240:80 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
N/A 20.74.47.205:443 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
GB 88.221.134.17:80 tcp
GB 88.221.134.17:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 93.184.221.240:80 tcp
N/A 192.168.1.187:6921 tcp
US 8.8.8.8:53 udp
N/A 52.111.229.43:443 tcp
US 8.8.8.8:53 udp
N/A 20.223.35.26:443 tcp
N/A 20.223.35.26:443 tcp
N/A 20.223.35.26:443 tcp
US 8.8.8.8:53 udp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 udp
N/A 192.168.1.187:6921 tcp
N/A 192.168.1.187:6921 tcp
US 8.8.8.8:53 udp
N/A 20.42.65.90:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
N/A 192.168.1.187:6921 tcp

Files

memory/2876-0-0x0000000000870000-0x00000000008F4000-memory.dmp

memory/2876-2-0x000000001B6D0000-0x000000001B6E0000-memory.dmp

memory/2876-1-0x00007FFAEE590000-0x00007FFAEF051000-memory.dmp

C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe

MD5 5f6c7f0c854b383f61565d46854b7b4f
SHA1 f8b76c2f80c608ac417421797a2fd55cbaba400e
SHA256 32b3cfbe2631b800dedaee778c73efdd560537863055bf0dae67720c5e31c5d0
SHA512 ef707b2ec4e37ed3217eb9847935144566881a94702edb13942e45558312951c5ed22d132f34dc4d3f72633d5a68b100f236c2a72b1d478d844328b2b06a63d0

memory/2876-9-0x00007FFAEE590000-0x00007FFAEF051000-memory.dmp

memory/732-10-0x0000000002CF0000-0x0000000002D00000-memory.dmp

memory/732-8-0x00007FFAEE590000-0x00007FFAEF051000-memory.dmp

C:\Users\Admin\AppData\Roaming\.Minecraft\HypixelCoinGeneratorV2.exe

MD5 19a69d252f834d9dbde9423bf0ad79c7
SHA1 b4d8f18c87f76313989fc70bb9a85e255c0d591e
SHA256 5c037f5c993f8203340a065ecca921f977f12aa5abb763889f077396144f7550
SHA512 fb82de9df34e2aaa3fbd274be4378350c9b2ea81ff81194b4738f1aa39f45327852590942b301b1ba414afe67085e0c412b868ebbf761684989e586cfbfb9226

memory/732-11-0x000000001C1A0000-0x000000001C1F0000-memory.dmp

memory/732-12-0x000000001C2B0000-0x000000001C362000-memory.dmp

memory/732-13-0x00007FFAEE590000-0x00007FFAEF051000-memory.dmp

memory/732-14-0x0000000002CF0000-0x0000000002D00000-memory.dmp