Malware Analysis Report

2025-01-18 04:35

Sample ID 231231-3ycdrsahh4
Target Client-built.exe
SHA256 2161ac1f32f0aeb9b968e28924c52a5c77b06197275266fb7fcc7242523d614e
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2161ac1f32f0aeb9b968e28924c52a5c77b06197275266fb7fcc7242523d614e

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 23:55

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 23:54

Reported

2023-12-31 23:58

Platform

win10-20231215-en

Max time kernel

126s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/4624-0-0x0000000000D80000-0x00000000010A4000-memory.dmp

memory/4624-1-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp

memory/4624-2-0x000000001BCF0000-0x000000001BD00000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 a88a8a76270599f61ed3c1f25a0b79b4
SHA1 a2211f01f55970ae068fa02fc2b284d2f2e80b81
SHA256 579aa3ca85e6148ba288e6fd41cf3813963c7db4086dd7da512ee0e10374003e
SHA512 49259b08217fb35fc8d6c66ebf5bbbda67a20ba9d3d4f4b313fa470d287422325215f9d99da4eb2ab4fa00a814baecd0d7110d7b40f64cca3391bedb572b8573

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 b7a4c11b2565e09e8239ec0abc08b4b0
SHA1 78464c39bbc485f84bca1dc9b6cafa7b654d348d
SHA256 88f5669612d1f84e763e10bdf8835cafcd9f7490973aa69b4aaa283a8548b84d
SHA512 b6fe702b2a49f937e650e81adc19d70134919f5094d718c12da6d7971c487be2269eb83be08bccbe366c0f8762ca116eb0ab3f994a7a90102f1956e99a2aea6b

memory/4624-8-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp

memory/868-9-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp

memory/868-10-0x000000001B500000-0x000000001B510000-memory.dmp

memory/868-11-0x000000001BEB0000-0x000000001BF00000-memory.dmp

memory/868-12-0x000000001BFC0000-0x000000001C072000-memory.dmp

memory/868-13-0x00007FFD69000000-0x00007FFD699EC000-memory.dmp

memory/868-14-0x000000001B500000-0x000000001B510000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 23:54

Reported

2023-12-31 23:58

Platform

win10v2004-20231215-en

Max time kernel

67s

Max time network

73s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 147.185.221.17:56251 tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
GB 96.17.178.180:80 tcp

Files

memory/844-0-0x0000000000C10000-0x0000000000F34000-memory.dmp

memory/844-2-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/844-1-0x00007FF828990000-0x00007FF829451000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 8f5650f2b5d261f5b85eedf43666a46d
SHA1 ed3db305f64f16af33b2dc18aadfc3d0e23d7258
SHA256 406147ae15c87184947c806270e5b7bd6df11fd4a52d81f1030317400975c013
SHA512 eecfe18de584ceb99af8b821beb1ac34a2dcf0f3b586881d492f6aab8428ea29cc85bc590d21f1dfb372579b2ef22f6ac49a1685dad40b05eee266bffbd9fdbd

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 caf9771bfcd57dc716652fb1836bdced
SHA1 870468f5f96a602e7fcc46d9da97cd0e320292e0
SHA256 d6536e153219bdc7042232d051f07a70f696a3dde5ac7ea90287ac1fd8bf5751
SHA512 bf01542f39b8cf558901d8b19d0fd8560c99846f69e73fae94fd3b403f205660611f59c1b5cf54015a571aae7711f0b15e0d5cd43ae61e2253138d73b135765c

memory/844-8-0x00007FF828990000-0x00007FF829451000-memory.dmp

memory/556-9-0x00007FF828990000-0x00007FF829451000-memory.dmp

memory/556-10-0x0000000002D60000-0x0000000002D70000-memory.dmp

memory/556-11-0x000000001C4A0000-0x000000001C4F0000-memory.dmp

memory/556-12-0x000000001C5B0000-0x000000001C662000-memory.dmp

memory/556-13-0x00007FF828990000-0x00007FF829451000-memory.dmp

memory/556-14-0x0000000002D60000-0x0000000002D70000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-12-31 23:54

Reported

2023-12-31 23:58

Platform

win11-20231215-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 147.185.221.17:56251 tcp
US 8.8.8.8:53 17.221.185.147.in-addr.arpa udp
US 147.185.221.17:56251 tcp
US 147.185.221.17:56251 tcp
US 147.185.221.17:56251 tcp
US 147.185.221.17:56251 tcp
US 147.185.221.17:56251 tcp
US 147.185.221.17:56251 tcp
N/A 52.168.117.168:443 tcp

Files

memory/5116-0-0x0000000000D80000-0x00000000010A4000-memory.dmp

memory/5116-1-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp

memory/5116-2-0x00000000018F0000-0x0000000001900000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 2c5219a73957083cdb849886c28c9735
SHA1 01bd1932cb59b8ba4c68c6c5c86724e944803d7a
SHA256 b95d63753f15677b9b71f30e325c1182d79abaeda78caea1cf56cb97767c8650
SHA512 b3689f3870e8b68cdc17b4c82d4046c325f7d2944e42688f5218e1c6bd2bbdb98f6489fd3704d634fe8d821133b3c8e0c7c8c799f2a036c23ee2eb0f94a78283

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 5bd094fa59803313446c0a1a59f493c3
SHA1 ad854d5cb57d7fdfce273c34047135b98357f8ce
SHA256 23126c237ef94abf54c0c194955de04ee70a67a730b31628867f35a9f0cce9d3
SHA512 dac096433a4631fa4246d2233845b4e6d23cde8f3251300726f2cd28c20747d59e4437b6fb37d8ff132691dd0e1d7304108721e687d24adf4eccf419e9012656

memory/5116-8-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp

memory/4128-9-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp

memory/4128-10-0x000000001BDE0000-0x000000001BDF0000-memory.dmp

memory/4128-11-0x000000001CDA0000-0x000000001CDF0000-memory.dmp

memory/4128-12-0x000000001CEB0000-0x000000001CF62000-memory.dmp

memory/4128-13-0x00007FFA79080000-0x00007FFA79B42000-memory.dmp

memory/4128-14-0x000000001BDE0000-0x000000001BDF0000-memory.dmp