Malware Analysis Report

2025-01-18 04:21

Sample ID 231226-bt8smaahdk
Target Update.exe
SHA256 42ade491c67312ca29a4d2ab39df56ce9dd29f6c76c8064bd2f87383e814a9eb
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42ade491c67312ca29a4d2ab39df56ce9dd29f6c76c8064bd2f87383e814a9eb

Threat Level: Known bad

The file Update.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar RAT

Quasar payload

Executes dropped EXE

Drops file in Program Files directory

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-26 01:27

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-26 01:27

Reported

2023-12-26 01:30

Platform

win11-20231215-en

Max time kernel

168s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\SubDir\Update.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\SubDir\Update.exe C:\Program Files\SubDir\Update.exe N/A
File opened for modification C:\Program Files\SubDir C:\Program Files\SubDir\Update.exe N/A
File created C:\Program Files\SubDir\Update.exe C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
File opened for modification C:\Program Files\SubDir\Update.exe C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
File opened for modification C:\Program Files\SubDir C:\Users\Admin\AppData\Local\Temp\Update.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Update.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\SubDir\Update.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\SubDir\Update.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\SubDir\Update.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\SubDir\Update.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Update.exe

"C:\Users\Admin\AppData\Local\Temp\Update.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Update2.exe" /sc ONLOGON /tr "C:\Program Files\SubDir\Update.exe" /rl HIGHEST /f

C:\Program Files\SubDir\Update.exe

"C:\Program Files\SubDir\Update.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Update2.exe" /sc ONLOGON /tr "C:\Program Files\SubDir\Update.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp
N/A 127.0.0.1:8080 tcp

Files

memory/4288-0-0x0000000000290000-0x00000000005FA000-memory.dmp

memory/4288-1-0x00007FFCADAE0000-0x00007FFCAE5A2000-memory.dmp

memory/4288-2-0x0000000002730000-0x0000000002740000-memory.dmp

C:\Program Files\SubDir\Update.exe

MD5 f18ad4d563f71b31f1671cc53254ceed
SHA1 10717c0e669dfb725a227031142fea305189c741
SHA256 42ade491c67312ca29a4d2ab39df56ce9dd29f6c76c8064bd2f87383e814a9eb
SHA512 dff0521b3d80e1f507503a675854a87a9a3da785870485fd184532229622feceb855a55822ee68a629415e810fc77e25b58b10d25cb88c42f5215e97ad185890

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Update.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

memory/4288-10-0x00007FFCADAE0000-0x00007FFCAE5A2000-memory.dmp

memory/3192-11-0x00007FFCADAE0000-0x00007FFCAE5A2000-memory.dmp

memory/3192-12-0x000000001B300000-0x000000001B310000-memory.dmp

memory/3192-13-0x000000001BF50000-0x000000001BFA0000-memory.dmp

memory/3192-14-0x000000001C060000-0x000000001C112000-memory.dmp

memory/3192-15-0x00007FFCADAE0000-0x00007FFCAE5A2000-memory.dmp

memory/3192-16-0x000000001B300000-0x000000001B310000-memory.dmp