Malware Analysis Report

2025-01-18 04:18

Sample ID 231227-vqak7saacr
Target winapp.exe
SHA256 9724121bb6285ee007ee656a20a13cdd111a01fac23d1596a7e6b5e9a6a4cf44
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9724121bb6285ee007ee656a20a13cdd111a01fac23d1596a7e6b5e9a6a4cf44

Threat Level: Known bad

The file winapp.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 17:11

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 17:11

Reported

2023-12-27 17:21

Platform

win10v2004-20231215-en

Max time kernel

590s

Max time network

604s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winapp.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\WinApp\winapp.exe C:\Users\Admin\AppData\Local\Temp\winapp.exe N/A
File opened for modification C:\Windows\system32\WinApp\winapp.exe C:\Users\Admin\AppData\Local\Temp\winapp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\winapp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WinApp\winapp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\winapp.exe

"C:\Users\Admin\AppData\Local\Temp\winapp.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "winapp" /sc ONLOGON /tr "C:\Windows\system32\WinApp\winapp.exe" /rl HIGHEST /f

C:\Windows\system32\WinApp\winapp.exe

"C:\Windows\system32\WinApp\winapp.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "winapp" /sc ONLOGON /tr "C:\Windows\system32\WinApp\winapp.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
N/A 192.168.68.121:4782 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
N/A 192.168.68.121:4782 tcp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
N/A 192.168.68.121:4782 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp

Files

memory/3104-0-0x00000000000E0000-0x0000000000404000-memory.dmp

memory/3104-1-0x00007FFC46AC0000-0x00007FFC47581000-memory.dmp

memory/3104-2-0x000000001AFE0000-0x000000001AFF0000-memory.dmp

C:\Windows\System32\WinApp\winapp.exe

MD5 d392cdbed5244c1fbd5b46d63dd519bc
SHA1 3811346ed1ef2b549e10e75d508f411b7a1e9d6a
SHA256 9724121bb6285ee007ee656a20a13cdd111a01fac23d1596a7e6b5e9a6a4cf44
SHA512 4378130941bde8fcb009f42fd4addcc70b2f90a9cfa51c08fc00c1c8c307f51c4a62f0c66d996eb8a612d44792958a83d269db34eed9c5e542b1dc505c0f3f50

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winapp.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/3104-10-0x00007FFC46AC0000-0x00007FFC47581000-memory.dmp

memory/2408-9-0x00007FFC46AC0000-0x00007FFC47581000-memory.dmp

memory/2408-11-0x000000001B800000-0x000000001B810000-memory.dmp

memory/2408-12-0x000000001C5B0000-0x000000001C600000-memory.dmp

memory/2408-13-0x000000001C6C0000-0x000000001C772000-memory.dmp

memory/2408-14-0x00007FFC46AC0000-0x00007FFC47581000-memory.dmp

memory/2408-15-0x000000001CFF0000-0x000000001D518000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 17:11

Reported

2023-12-27 17:22

Platform

win11-20231215-en

Max time kernel

591s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\winapp.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\WinApp\winapp.exe C:\Users\Admin\AppData\Local\Temp\winapp.exe N/A
File opened for modification C:\Windows\system32\WinApp\winapp.exe C:\Users\Admin\AppData\Local\Temp\winapp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\winapp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WinApp\winapp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\WinApp\winapp.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\winapp.exe

"C:\Users\Admin\AppData\Local\Temp\winapp.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "winapp" /sc ONLOGON /tr "C:\Windows\system32\WinApp\winapp.exe" /rl HIGHEST /f

C:\Windows\system32\WinApp\winapp.exe

"C:\Windows\system32\WinApp\winapp.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "winapp" /sc ONLOGON /tr "C:\Windows\system32\WinApp\winapp.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
US 52.111.227.14:443 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp
N/A 192.168.68.121:4782 tcp

Files

memory/1044-0-0x00000000003E0000-0x0000000000704000-memory.dmp

memory/1044-2-0x00000000010C0000-0x00000000010D0000-memory.dmp

memory/1044-1-0x00007FFA55970000-0x00007FFA56432000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winapp.exe.log

MD5 b4e91d2e5f40d5e2586a86cf3bb4df24
SHA1 31920b3a41aa4400d4a0230a7622848789b38672
SHA256 5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210
SHA512 968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

memory/1044-9-0x00007FFA55970000-0x00007FFA56432000-memory.dmp

C:\Windows\system32\WinApp\winapp.exe

MD5 479b0ed90ee97a1495fd6a7be0980293
SHA1 31cb1679fbd3e4d8158f251b222169ab3d0c05de
SHA256 ae1314d312e7682d6170a89745b04344237ce87bc76a29b8608a4249f70da66b
SHA512 f4a9d1cb6e78aa9566fa034f9a5ea8eaa62b8e2ef2878ad98f985f9863a15746568772c8a7674bdc6032bb204658e29128896071730047b4cd2c86ba7c5a5c79

memory/2312-11-0x000000001B080000-0x000000001B090000-memory.dmp

memory/2312-10-0x00007FFA55970000-0x00007FFA56432000-memory.dmp

C:\Windows\System32\WinApp\winapp.exe

MD5 089fff94122e9ac0e7c3aed59b12131a
SHA1 79c9971d8ef672406a457f95e544e1f15221ed08
SHA256 22b65e7e1f36b2394bad598bc2c9b2d2b1ba9a2d77f377d680dc4700b8f8771f
SHA512 8b01a3313b30a46447b487c646889dfe0364029d80e7f11923b046f8bf356d31383bf532a98368dd47a6a526b5e4a0c86177512a1b1f7d8ee25a22986bf266ee

memory/2312-12-0x000000001BC80000-0x000000001BCD0000-memory.dmp

memory/2312-13-0x000000001BD90000-0x000000001BE42000-memory.dmp

memory/2312-14-0x00007FFA55970000-0x00007FFA56432000-memory.dmp

memory/2312-15-0x000000001B080000-0x000000001B090000-memory.dmp