Malware Analysis Report

2025-01-18 04:31

Sample ID 231231-fsf4faccc2
Target 295f0a57a5e69b701359a80ed15ab338
SHA256 d366619e696013333ed98b3aa03567638e56286ded05fb34da197481fa4d89fe
Tags
quasar office04 persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d366619e696013333ed98b3aa03567638e56286ded05fb34da197481fa4d89fe

Threat Level: Known bad

The file 295f0a57a5e69b701359a80ed15ab338 was found to be: Known bad.

Malicious Activity Summary

quasar office04 persistence spyware trojan

Modifies WinLogon for persistence

Quasar RAT

Quasar payload

Suspicious use of SetThreadContext

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 05:07

Reported

2024-01-05 15:29

Platform

win7-20231215-en

Max time kernel

145s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\iSIdJ76se5U1r16o\\Q6Cs0Jb4eIcl.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A
File created C:\Windows\SysWOW64\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2480 set thread context of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2480 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe
PID 2668 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Windows\SysWOW64\schtasks.exe
PID 2668 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Java Updater x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe" /rl HIGHEST /f

Network

N/A

Files

memory/2480-0-0x0000000000AD0000-0x0000000000B44000-memory.dmp

memory/2480-1-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2480-2-0x0000000002200000-0x0000000002240000-memory.dmp

memory/2480-3-0x0000000002200000-0x0000000002240000-memory.dmp

memory/2480-4-0x0000000000390000-0x00000000003E6000-memory.dmp

memory/2480-7-0x0000000002240000-0x00000000022C4000-memory.dmp

memory/2668-9-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2668-11-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2668-10-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2668-16-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2668-18-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2668-20-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2668-14-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2668-21-0x0000000004AD0000-0x0000000004B10000-memory.dmp

memory/2668-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2668-8-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2480-23-0x0000000074C50000-0x000000007533E000-memory.dmp

memory/2480-24-0x0000000002200000-0x0000000002240000-memory.dmp

memory/2480-25-0x0000000002200000-0x0000000002240000-memory.dmp

memory/2668-26-0x0000000074C50000-0x000000007533E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 05:07

Reported

2024-01-05 15:29

Platform

win10v2004-20231222-en

Max time kernel

11s

Max time network

12s

Command Line

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

Signatures

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe

"C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks" /create /tn "Java Updater x64" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\295f0a57a5e69b701359a80ed15ab338.exe" /rl HIGHEST /f

C:\Windows\SysWOW64\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp

Files

memory/3192-0-0x0000000000520000-0x0000000000594000-memory.dmp

memory/3192-1-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/3192-3-0x0000000004F70000-0x0000000005002000-memory.dmp

memory/3192-4-0x0000000005180000-0x0000000005190000-memory.dmp

memory/3192-5-0x0000000005140000-0x000000000514A000-memory.dmp

memory/3192-2-0x0000000005600000-0x0000000005BA4000-memory.dmp

memory/3192-6-0x00000000049B0000-0x0000000004A06000-memory.dmp

memory/1848-10-0x0000000000400000-0x0000000000484000-memory.dmp

memory/1848-13-0x0000000005460000-0x0000000005470000-memory.dmp

memory/1848-12-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/3192-9-0x0000000009DE0000-0x0000000009E64000-memory.dmp

memory/1848-20-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1908-21-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/1908-19-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1908-22-0x0000000006BD0000-0x0000000006C26000-memory.dmp