Malware Analysis Report

2025-06-16 05:31

Sample ID 240315-k5llxacf5x
Target 2386d1e1a35e51b0c869655580ab6431.exe
SHA256 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
Tags
office01 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c

Threat Level: Known bad

The file 2386d1e1a35e51b0c869655580ab6431.exe was found to be: Known bad.

Malicious Activity Summary

office01 quasar spyware trojan

Quasar payload

Quasar family

Quasar RAT

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 09:11

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 09:11

Reported

2024-03-15 09:13

Platform

win7-20240215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.exiles.site udp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp

Files

memory/2388-0-0x0000000000920000-0x0000000000C44000-memory.dmp

memory/2388-1-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/2388-2-0x000000001B3A0000-0x000000001B420000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 8a66f525d7e6e8800cd44b102d046424
SHA1 945aaae13525ca512884ab7053ea2c84e2a8864f
SHA256 d727c015390fc642bedede713885c22813b91007613c662fb6b8884b81764105
SHA512 b441de91efbcf50e4807770140bb47c2a4bbf1429238b4a35e126fd7c1ccef3bfb74e3eaadea2921bed7e96904e54c2dce1b72e0d27fdac44eb3ef5dcd9b245b

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 7af4bc055bab150645e23ca81473ff6a
SHA1 6945e71cdfa4db8e9efe37c94fb295be3dbfcc1b
SHA256 88b4571bb01e06eaa0990b053d7b4ea7e1061d3f4382223d668a8cd50d3030af
SHA512 e689720c5af4644468e776cb5a1335d5ed1624c3d857a12d354cfce9639af233485d8f22ad641a6b2c7dd546ec68e709dbbc87cdd92ac777ae616a0507c9ba3b

memory/3036-8-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/3036-11-0x000000001ACF0000-0x000000001AD70000-memory.dmp

memory/3036-10-0x0000000000E10000-0x0000000001134000-memory.dmp

memory/2388-9-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/3036-12-0x000007FEF5AB0000-0x000007FEF649C000-memory.dmp

memory/3036-13-0x000000001ACF0000-0x000000001AD70000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 09:11

Reported

2024-03-15 09:13

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,1589057049575649654,2929151440327217574,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 www.exiles.site udp
US 192.151.244.144:14782 www.exiles.site tcp
US 8.8.8.8:53 144.244.151.192.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2556-0-0x0000000000990000-0x0000000000CB4000-memory.dmp

memory/2556-1-0x00007FFB76AA0000-0x00007FFB77561000-memory.dmp

memory/2556-2-0x000000001B8D0000-0x000000001B8E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 3c4347d83ca7602c0c80de91f5b34c08
SHA1 666cadb2d48797bf177a917071760a4d393d2b8a
SHA256 2500c8b9240d16ca983ec8f7e32140baf687871f6df8171186c9097280496959
SHA512 969ae42794e346eb007722ae51f374c63aff22a309b461a74821f74484d1c1a85ea87b23e5540a741ee3a8c7c4cfd195d2627b965a0ac33446ae42d08476d529

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 2ab235cc8ce009416b72bf825b37fbe3
SHA1 dfc1907a82eb9e9d5a58af45b0b3e8385e4a9103
SHA256 f2ebb80b80ee893d6295258e95f6044df48fc23a6b7e87fea3cea74111f73a35
SHA512 de0ac41309d921296298f4b2074b24ba020bf367b85de3563cdd994decd68246a2c1e1aee471706fff4a822e92ab066327d583df9a83b7cbcc364a454e704fe1

memory/2264-9-0x00007FFB76AA0000-0x00007FFB77561000-memory.dmp

memory/2556-10-0x00007FFB76AA0000-0x00007FFB77561000-memory.dmp

memory/2264-11-0x000000001B3C0000-0x000000001B3D0000-memory.dmp

memory/2264-12-0x000000001B9D0000-0x000000001BA20000-memory.dmp

memory/2264-13-0x000000001BAE0000-0x000000001BB92000-memory.dmp

memory/2264-16-0x000000001BA60000-0x000000001BA72000-memory.dmp

memory/2264-17-0x000000001C5E0000-0x000000001C61C000-memory.dmp

memory/2264-18-0x00007FFB76AA0000-0x00007FFB77561000-memory.dmp