Analysis
-
max time kernel
1739s -
max time network
1690s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
20/02/2024, 00:12
General
-
Target
https://github.com/quasar/Quasar
Malware Config
Signatures
-
Quasar RAT
Quasar is an open source Remote Access Tool.
-
Quasar payload 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 49 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 38 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/quasar/Quasar1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5adf46f8,0x7ffb5adf4708,0x7ffb5adf47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5080 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5480 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7445531073875406746,13369968847633735947,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"C:\Users\Admin\Desktop\Quasar v1.4.1\Quasar.exe"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" /select, "C:\Users\Admin\Desktop\Quasar v1.4.1\quasar.p12"2⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5efc9c7501d0a6db520763baad1e05ce8
SHA160b5e190124b54ff7234bb2e36071d9c8db8545f
SHA2567af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d
-
Filesize
1KB
MD5fa5e145b5e637dd2b3e39cfd09ae469b
SHA1c8e97a3cfc643ef9ce64c9b11fbb08faeb496eba
SHA2568c61700b6918e7c9f06219a8d540a6b1d4bde8b04d254783d64bf3791e73a1e2
SHA512b198ef35e1d97b83ab47488bcf99cf67cad203079a7b9b8b445045d0aa11ba6df6dbcd409d1a081489ba16d1b74697a874d705996d1bde782a6ab8f4791ac86a
-
Filesize
663B
MD5e0c8ba5acacb79299dc526c5daa1d0ce
SHA10ee66ba200a26340b183e6296b6772904e6465dc
SHA2562afc4f4876503a33efdf70f73706fe5756d29d064dfa84db1aec8b373c895962
SHA512ce81aa6f76c9247002fccd9ca18ff9bdd93e4bed6c5d0b60d01d7108a223eff2010d270bcff4935a27ca443c2c0b71451edb6e7829c4a8e8cb3746dd65318625
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
5KB
MD51fa0bd1abd831e01302d848ec99f07fa
SHA100062287dea72c5648b84d585c9e04634861b7ef
SHA25633b9b0eace6df40d72f141552baae9fa3816d82a8480d40bc3ee94d9e614f312
SHA512ab431bb44868ef34bb1842b8a09144a3379491e37648f98284e9248e10a2b0c6cff5a739488305f7f3b8432fe3f86c75599f59c0a2bbbc26024eb1e36256ca00
-
Filesize
5KB
MD562929b8888e37c8b7726d2fdd4c4f306
SHA18b918222e8e4a5d07a6510173ee6a69fb7b218f9
SHA256cdaa7bc31bf4c84407fdf928e1fa2dc52ff9e1476febd6a7ebffda926bd44a1d
SHA512426555112607ad01d8ded3923a93586d3b42032202ab80cde11b491e5b0d51d15cd3b8396135dac5df3341fb00f54d5de1b60be206403cc8eb554ab719931871
-
Filesize
5KB
MD5ad02d1ca7e6917fe6e7fd6ec61abb76e
SHA1c324d1248e64d0c2c39ab9dc565fa7e6a3cfae61
SHA256ff75cce677d49f7d823b88af55483dcb28b33a7edc3225efbb03f7928e605386
SHA51219ef174adbadcc739f1d5f8ef2b8be3255dbcfba2ae38c1addbb4b21c92791c9ea9a4fc6f44675744582d13103b37e010b33ba1a4eb939869bf1341b41f8eba5
-
Filesize
6KB
MD5fdc28f6dbd72bf5f3f1285c53d12ba99
SHA1a472e311c14a1535d5539ff4ea8bcc3ed1253f57
SHA2565dc8f3bcc66466fb77159afa0747276eb0b3c4dd7b38ac9453ecb95220dd76c0
SHA512cccf14d4a0264a706729c42536311874889dc183b5a6902931e635616a026fefad244b4e79be9b349138cf822bf7e1003abbed8003b9cad4a3dae70028aa57cf
-
Filesize
24KB
MD5121510c1483c9de9fdb590c20526ec0a
SHA196443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81
-
Filesize
1KB
MD5c9bac9b9ff2554a43c497ac3d88a869b
SHA1bb8d065b927e6db55343b216b0e3d780b3b32a24
SHA256afd428849de4fdf50c853f1bb0350820240a0b188dde6c155c2865cb8fe4f324
SHA5120fe3fd1378be0f976d66f67ba05905cf4c5ce881b748e533f949f4891cfb733f67d2bc80b605adfee8d469177cfb83e3bf1b43067b1f0dda0f8a08ea3033381c
-
Filesize
1KB
MD57d03b40f3da0dd81f17e53d1a162ad80
SHA12651c38296a3cc7acabb07018f5433075b3b1c79
SHA256ca3223cfa9e760080c38788b7f40ce1c7a567b10f5c81ead174d9db2af53a104
SHA51254fa2aac351ce68f21731402dfa5bed9a2821f07c2f0f447aeb3b93be7b781478ac42fd9b4db02474876b554021c25e2e6dbe1a01ef23fcdfa264b0651fad095
-
Filesize
1KB
MD5dc9d40cce186b8cd5be7042251973d2d
SHA119e5c3438df3575d52fbfddb246f5ef2336327fb
SHA256c53c8f1fd559e389c99ddb79a5e1fc5d7497f4f8c128d86500fb354e79afdda6
SHA512e9e44639a8f908bf3b5506c3c799c5c275e2850168a820a2022ea0949897bde9d28c1e46840b458acac3d8425e6571f69850619e12c68aedced410dd333e9640
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD554bb63da7eed504ae026a9d682240ce6
SHA1a8bc1f0e5c53e2a1eeb061f0947b465a9fa8e46e
SHA25658ca479eda8a43e6cbdc03e28d8031694c5b098ecc9565d4f3633b4bcd16a706
SHA5120614adc235fa6e62f392dd7ccf01357db091c3abe0427d0daa64efe196003fb28ca0364d22fdbff7ae708d4950120b7c25c0957e2c814a4cbe804938e07ffcd0
-
Filesize
10KB
MD51fa605e12a2ee1e9080e334f975b0eb1
SHA1d13ac4d394fabaa864df41b4a2f81139b0e7bab8
SHA256ff6bd36f6641cf6b8445b5393950a0b9a50717e7481cbca86a14acf1416e3dfb
SHA512e75e46ca0dd2348b0d8f03cf7c3e38ecd94ca5d1d44b738907e509a0d068f9d134eecd37974f1ac87aa17d7a501ccd6a27500c10ba6a14ffc40d60890f4a9330
-
Filesize
4KB
MD55f46d158b01a50e5325e274705b0083a
SHA1a7e61d35285bea1a81a9ea6193ee009495552dc4
SHA256de7b40068862b96e19398bd266cfa90c3fabb748bfd2ce1295815cad56c8e4db
SHA512352ccc33b0ff0bd7e94f47d40b74e21e4476011bda77d6bf314a3fa2145eaa41a4abb6ed394a18cee0f4f7d5485d1cffc7e369158c49cd8f780530d4fcf516e7
-
Filesize
371B
MD5482b40c0d7aa8a3d1bbf44e34b4d2ca5
SHA1d6d24c92b01a2d8a1e9cd5a15669443091f1c7a7
SHA25640adac53b3488585f0bd0dfc919d7d145184d4b78ee7641d721bfdf141571c31
SHA51264774f6c520ba1b99c353d79747e78d07dce9220ba9d4a0d81d8abd6d593ef32941b73d7795e1666b0777571bca194d9ac7b6b4394c1b2bde32387ea4ee2f813
-
Filesize
128KB
MD5cf48e6778ffd9ecfb862978dee7a30c5
SHA11c2b6d594c8bd048e32642b81d25e40d287abbb1
SHA256b19793eea0d918e8981ef8083827088e06f929711298d9f4c0c01854f0db7493
SHA512b964163abfba0f13524d574a02b12a0f0626d569d0d3d1fe428c61f32e4ecf52f4905723b6fa69d97ac5268eff1850d41a623e42d30e167aef4658229c19c5f4
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
320KB
-
Filesize
712KB
-
Filesize
304KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
88KB
-
Filesize
64KB
-
Filesize
10.8MB
-
Filesize
1.2MB