quasar | b3573e1e395f30ce38648d8c9d5714ad35b0bcb93dbeabb1954e14b0199ca4d7

Analysis

max time kernel
118s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/02/2024, 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft Gaming Helper.exe
Size

3.1MB
MD5

1f4df8c89189221420cd89ea0bdcf753
SHA1

30d7c89bd5d28870a5f6c25749ef2bb7b797de72
SHA256

b3573e1e395f30ce38648d8c9d5714ad35b0bcb93dbeabb1954e14b0199ca4d7
SHA512

4c7a66f7b5dff06328f6e737994e29dbec32931d9974c560d0867f67aef3a0c4f3a475f68d5299039bcde8528312611af18a654be34e6378a37d24e659be8ee1
SSDEEP

49152:3vbI22SsaNYfdPBldt698dBcjHwJRJ6/bR3LoGdJQ1THHB72eh2NT:3vk22SsaNYfdPBldt6+dBcjHwJRJ6RW

Score

10^/10

quasar enayi spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Enayi

192.168.0.7:4782

Mutex

cfb088c2-8243-4e30-af47-82a5b5bebf06

Attributes

encryption_key
7AD862AAD94BE9C6EAA16CA4328915D7905AA3B4
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/2272-0-0x0000000000910000-0x0000000000C34000-memory.dmp	family_quasar

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2760	schtasks.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2272	Microsoft Gaming Helper.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2760	2272	Microsoft Gaming Helper.exe	28
PID 2272 wrote to memory of 2760	2272	Microsoft Gaming Helper.exe	28
PID 2272 wrote to memory of 2760	2272	Microsoft Gaming Helper.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Microsoft Gaming Helper.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Gaming Helper.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2272-0-0x0000000000910000-0x0000000000C34000-memory.dmp

Filesize
3.1MB

Download
memory/2272-1-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2272-2-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download
memory/2272-4-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Filesize
9.9MB

Download
memory/2272-5-0x000000001B370000-0x000000001B3F0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads