Malware Analysis Report

2025-01-18 04:31

Sample ID 240104-wfy2gsgahm
Target Client-built.exe
SHA256 3c7c1b6d7a9146cf899b396f23aa03e715a8ef82f92f2c2642904599cfffd773
Tags
office04 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c7c1b6d7a9146cf899b396f23aa03e715a8ef82f92f2c2642904599cfffd773

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-01-04 17:52

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 17:52

Reported

2024-01-04 17:55

Platform

win10v2004-20231215-en

Max time kernel

74s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
HU 89.134.3.9:1177 tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 66.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
HU 89.134.3.9:1177 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
HU 89.134.3.9:1177 tcp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 41.134.221.88.in-addr.arpa udp
HU 89.134.3.9:1177 tcp

Files

memory/4340-0-0x0000000000650000-0x0000000000974000-memory.dmp

memory/4340-1-0x00007FF817020000-0x00007FF817AE1000-memory.dmp

memory/4340-2-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

memory/4340-3-0x000000001BC40000-0x000000001BC90000-memory.dmp

memory/4340-4-0x000000001BD50000-0x000000001BE02000-memory.dmp

memory/4340-5-0x00007FF817020000-0x00007FF817AE1000-memory.dmp

memory/4340-6-0x000000001B5A0000-0x000000001B5B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 17:52

Reported

2024-01-04 17:57

Platform

win11-20231215-en

Max time kernel

139s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Network

Country Destination Domain Proto
HU 89.134.3.9:1177 tcp
HU 89.134.3.9:1177 tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
HU 89.134.3.9:1177 tcp
HU 89.134.3.9:1177 tcp
HU 89.134.3.9:1177 tcp
HU 89.134.3.9:1177 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/5080-0-0x0000000000710000-0x0000000000A34000-memory.dmp

memory/5080-1-0x00007FFA15EA0000-0x00007FFA16962000-memory.dmp

memory/5080-2-0x000000001B800000-0x000000001B810000-memory.dmp

memory/5080-3-0x000000001BE10000-0x000000001BE60000-memory.dmp

memory/5080-4-0x000000001BF20000-0x000000001BFD2000-memory.dmp

memory/5080-5-0x00007FFA15EA0000-0x00007FFA16962000-memory.dmp

memory/5080-6-0x000000001B800000-0x000000001B810000-memory.dmp