quasar | a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 05:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0fb77a7f91ccadcee16b1f264b0a53df.exe
Size

1.0MB
MD5

0fb77a7f91ccadcee16b1f264b0a53df
SHA1

efadf32a52f1b6bfde9ab82bd4ac5cd1598d8a8f
SHA256

a323a9891c15a533b2356c710a9610dcd764931b2122404d1278952d6a2611e1
SHA512

e6a30817ab7031b0d2170d28d61c721d8d609e65485054e8e706740582454bf0cb54a2029781628d8a994165674d4652e2592cf9c4db4b78434de1d235be8373
SSDEEP

12288:kARNJ6j3LBFsSfNJwZH3Uw2oQb+9BXNwQlsljyFVRelCuXjV+apo+gO0aoUWqnDi:bLJ+FFsSFJg9LuuqnDonB1

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.3.0.0

Botnet

Office04

10.8.31.138:28394

Mutex

QSR_MUTEX_8o3qZGCFefA40MAkOh

Attributes

encryption_key
Gmm1w4utIxJXOFfCOJbk
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/2196-2-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2196-7-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar
behavioral1/memory/2196-5-0x0000000000400000-0x000000000045E000-memory.dmp	family_quasar

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2212 wrote to memory of 2196	2212	0fb77a7f91ccadcee16b1f264b0a53df.exe	19
PID 2196 wrote to memory of 2980	2196	0fb77a7f91ccadcee16b1f264b0a53df.exe	18
PID 2196 wrote to memory of 2980	2196	0fb77a7f91ccadcee16b1f264b0a53df.exe	18
PID 2196 wrote to memory of 2980	2196	0fb77a7f91ccadcee16b1f264b0a53df.exe	18
PID 2196 wrote to memory of 2980	2196	0fb77a7f91ccadcee16b1f264b0a53df.exe	18

C:\Users\Admin\AppData\Local\Temp\0fb77a7f91ccadcee16b1f264b0a53df.exe
"C:\Users\Admin\AppData\Local\Temp\0fb77a7f91ccadcee16b1f264b0a53df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\0fb77a7f91ccadcee16b1f264b0a53df.exe
  C:\Users\Admin\AppData\Local\Temp\0fb77a7f91ccadcee16b1f264b0a53df.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196

C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
dw20.exe -x -s 388
1⤵
PID:2980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2196-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2196-10-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/2196-9-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-5-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2196-13-0x0000000002190000-0x00000000021D0000-memory.dmp

Filesize
256KB

Download
memory/2196-12-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-8-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-0-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-3-0x0000000002060000-0x00000000020A0000-memory.dmp

Filesize
256KB

Download
memory/2212-1-0x0000000074B80000-0x000000007512B000-memory.dmp

Filesize
5.7MB

Download
memory/2980-11-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download
memory/2980-14-0x0000000002790000-0x0000000002791000-memory.dmp

Filesize
4KB

Download