quasar | d76830288a3be762842427e66dc58a37e874cebf25243b74b4d6f5deef31bfd8

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-03-2024 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe
Size

3.2MB
MD5

f53938373434c1b46ab8333b99b5025e
SHA1

1f3ae2bda22c8c30a84563094ff2c30d1265fa91
SHA256

1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856
SHA512

b733120eb598287a5eb5b8cf10cc0e0343756ac50f72657a959a908de2d0b3325e1c195b815a7981d83618135914d33b89bc8a9a6cef2c293352be5604aab596
SSDEEP

49152:paFWfGWVGvidJg/yfFF9mkQiCrIw20BWBvM0cPV9GadnnCQ/J4CWJl/dTTKXcG:paFCTW/sUni+w0CvA9GtllTTKMG

Score

10^/10

quasar default spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Default

dksj.wi-fi.rip:4782

Mutex

fac0455c-d035-445a-a501-d39c40248ae5

Attributes

encryption_key
E883FEA800A47B3B853A04DDCD0D162E782B41B7
install_name
Client.exe
log_directory
fdgdg
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4892-4-0x0000000000400000-0x0000000000724000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
708	fgfhghf.exe
1916	fgfhghf.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 708 set thread context of 1536	708	fgfhghf.exe	111
PID 1916 set thread context of 4556	1916	fgfhghf.exe	121

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4128	schtasks.exe
1084	schtasks.exe
1052	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4892	vbc.exe
Token: SeDebugPrivilege	1536	vbc.exe
Token: SeDebugPrivilege	4556	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	vbc.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 4892	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	89
PID 2248 wrote to memory of 3220	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	90
PID 2248 wrote to memory of 3220	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	90
PID 2248 wrote to memory of 3220	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	90
PID 2248 wrote to memory of 3732	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	91
PID 2248 wrote to memory of 3732	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	91
PID 2248 wrote to memory of 3732	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	91
PID 2248 wrote to memory of 868	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	92
PID 2248 wrote to memory of 868	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	92
PID 2248 wrote to memory of 868	2248	1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe	92
PID 3732 wrote to memory of 4128	3732	cmd.exe	96
PID 3732 wrote to memory of 4128	3732	cmd.exe	96
PID 3732 wrote to memory of 4128	3732	cmd.exe	96
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 1536	708	fgfhghf.exe	111
PID 708 wrote to memory of 4280	708	fgfhghf.exe	112
PID 708 wrote to memory of 4280	708	fgfhghf.exe	112
PID 708 wrote to memory of 4280	708	fgfhghf.exe	112
PID 708 wrote to memory of 2160	708	fgfhghf.exe	113
PID 708 wrote to memory of 2160	708	fgfhghf.exe	113
PID 708 wrote to memory of 2160	708	fgfhghf.exe	113
PID 708 wrote to memory of 3848	708	fgfhghf.exe	115
PID 708 wrote to memory of 3848	708	fgfhghf.exe	115
PID 708 wrote to memory of 3848	708	fgfhghf.exe	115
PID 2160 wrote to memory of 1084	2160	cmd.exe	118
PID 2160 wrote to memory of 1084	2160	cmd.exe	118
PID 2160 wrote to memory of 1084	2160	cmd.exe	118
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 4556	1916	fgfhghf.exe	121
PID 1916 wrote to memory of 768	1916	fgfhghf.exe	122
PID 1916 wrote to memory of 768	1916	fgfhghf.exe	122
PID 1916 wrote to memory of 768	1916	fgfhghf.exe	122
PID 1916 wrote to memory of 1460	1916	fgfhghf.exe	123
PID 1916 wrote to memory of 1460	1916	fgfhghf.exe	123
PID 1916 wrote to memory of 1460	1916	fgfhghf.exe	123
PID 1916 wrote to memory of 2120	1916	fgfhghf.exe	124
PID 1916 wrote to memory of 2120	1916	fgfhghf.exe	124
PID 1916 wrote to memory of 2120	1916	fgfhghf.exe	124
PID 1460 wrote to memory of 1052	1460	cmd.exe	128
PID 1460 wrote to memory of 1052	1460	cmd.exe	128
PID 1460 wrote to memory of 1052	1460	cmd.exe	128

C:\Users\Admin\AppData\Local\Temp\1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe
"C:\Users\Admin\AppData\Local\Temp\1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4892
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfhghf"
  2⤵
  PID:3220
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4128
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\1332bb84dff1a55902b5eb2c76988f94a9edf4727d2c79871c47858b270f0856.exe" "C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe"
  2⤵
  PID:868

C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe
C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfhghf"
  2⤵
  PID:4280
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe" "C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe"
  2⤵
  PID:3848

C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe
C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\fgfhghf"
  2⤵
  PID:768
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe" "C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe"
  2⤵
  PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fgfhghf.exe.log

Filesize
520B

MD5
3ca2f9e6a94c24c455ac9431a0bf479b

SHA1
a90309eec691588990609f8f8ad9b935d6f38eb2

SHA256
e84d0c64750ec6333b67eb8aef737bb21cd86c6ef6e520c6537ede13505e125e

SHA512
ba66e42b384f0d865a21d9169169a0b2bd9c62ebee68acc63a191b1a67ca16f4534f955055fc84bbc4a9cd22cec11c3c22a15df7741d99b7dec456e5cabcb0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe

Filesize
2.3MB

MD5
ff1cce659d9fdd999bd258d985ac300c

SHA1
a37dfad534cf3d36b332cadcb716255c844f58cf

SHA256
d9284ed5515ce0fe0c08fd2a261e4c0d882188ebf8f5191d5ec6704345b78a47

SHA512
3a6d02f774c3f8a21dda1d22ed4b37b2e3c8267f889b41107f1abc1f329f08f72a660b1f260fd6be5af302e93f09946da2c252a75d367396f05ad4b6a8f09518

Download Submit
C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe

Filesize
2.1MB

MD5
cb664c890b143f4bbfaf21339f3b01a6

SHA1
af9d0df955a62633465869dec0ea90d04c4c8902

SHA256
5e38a4972b1c26429bc66b91d97d3be553296bca35fb409a48770e578de8f645

SHA512
e9db9e11339d43a103e5ddcaadba4eb2bdc9b189ae346a644dd701bef4e16da7fe114f415c05a5822437d31b18ae271e5f1ac1f3635c2e5786375a81c3a5cdb0

Download Submit
C:\Users\Admin\AppData\Roaming\fgfhghf\fgfhghf.exe

Filesize
2.1MB

MD5
e76218a68561b15f38b88533c12d5440

SHA1
3d413b4a2755bc590b6baa31f103b80edb0f6833

SHA256
976a2c69e319b5165a4d0e5ddfcd722521f13c8839036d2e4b462bb83dababd4

SHA512
a9349e561c5f0023e007ddbf7c1fe5adc9a0eee7ba4ae1f09980f4c937a46b5decd666f7f7f394424e681c1dc36f092a78428891d372ee078e3d20b45ad03261

Download Submit
memory/708-26-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/708-21-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/708-20-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1536-25-0x0000000005870000-0x0000000005880000-memory.dmp

Filesize
64KB

Download
memory/1536-28-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1536-24-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1916-31-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/1916-32-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/1916-36-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2248-8-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2248-1-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/2248-0-0x0000000000EE0000-0x000000000120C000-memory.dmp

Filesize
3.2MB

Download
memory/2248-2-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

Filesize
64KB

Download
memory/2248-3-0x00000000061A0000-0x0000000006744000-memory.dmp

Filesize
5.6MB

Download
memory/4556-37-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4556-35-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4892-13-0x0000000006540000-0x0000000006B58000-memory.dmp

Filesize
6.1MB

Download
memory/4892-9-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4892-7-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/4892-5-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download
memory/4892-4-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/4892-12-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/4892-17-0x00000000054C0000-0x00000000054D0000-memory.dmp

Filesize
64KB

Download
memory/4892-14-0x0000000005FE0000-0x0000000006030000-memory.dmp

Filesize
320KB

Download
memory/4892-15-0x0000000006250000-0x0000000006302000-memory.dmp

Filesize
712KB

Download
memory/4892-16-0x00000000750E0000-0x0000000075890000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads