Malware Analysis Report

2025-06-16 05:32

Sample ID 240315-k6x2bseg53
Target 2386d1e1a35e51b0c869655580ab6431.exe
SHA256 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
Tags
office01 quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c

Threat Level: Known bad

The file 2386d1e1a35e51b0c869655580ab6431.exe was found to be: Known bad.

Malicious Activity Summary

office01 quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 09:13

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 09:13

Reported

2024-03-15 09:16

Platform

win7-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.exiles.site udp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp
US 192.151.244.144:14782 www.exiles.site tcp

Files

memory/2176-0-0x0000000000E70000-0x0000000001194000-memory.dmp

memory/2176-1-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/2176-2-0x000000001B1B0000-0x000000001B230000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 16015fbd05ec4aa780ac649ecb3f00fd
SHA1 7bf57070a7d0e29a78e71f6dd6dc7d084f98a8f3
SHA256 5e626d87f6b38d573e4a12250e440f16d42600f76788077693833976dbee22c7
SHA512 fa3f601e0f9efaa473f70ac7862d851d2747911dc0f0edf15067f0a0326c60c86e5e0a1eb1d4cfc3dccd4602dfffc2621a55a38b1a9d859f8874e70dd4226756

memory/1104-8-0x0000000000310000-0x0000000000634000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 2386d1e1a35e51b0c869655580ab6431
SHA1 44de49d3050793f1cea18a62fc7649c96deebaa7
SHA256 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
SHA512 69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946

memory/1104-9-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1104-10-0x000000001B040000-0x000000001B0C0000-memory.dmp

memory/2176-11-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1104-12-0x000007FEF5E60000-0x000007FEF684C000-memory.dmp

memory/1104-13-0x000000001B040000-0x000000001B0C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 09:13

Reported

2024-03-15 09:15

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe

"C:\Users\Admin\AppData\Local\Temp\2386d1e1a35e51b0c869655580ab6431.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.exiles.site udp
US 192.151.244.144:14782 www.exiles.site tcp
US 8.8.8.8:53 ipwho.is udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 144.244.151.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/3092-0-0x00000000003F0000-0x0000000000714000-memory.dmp

memory/3092-1-0x00007FFCA6780000-0x00007FFCA7241000-memory.dmp

memory/3092-2-0x000000001B2F0000-0x000000001B300000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 2386d1e1a35e51b0c869655580ab6431
SHA1 44de49d3050793f1cea18a62fc7649c96deebaa7
SHA256 a9e84520f8f8fd1383b54b297044ed2ca34e23172c7b6719a9185527b6fa194c
SHA512 69d99d6d9d85c83f3d5029cec04abfddc54142044d39078799ba77fcec2715d41bbf4b114981fa697a8ee1afd9aa796733897e6d337ef1941e72d88631da5946

memory/3092-9-0x00007FFCA6780000-0x00007FFCA7241000-memory.dmp

memory/2396-10-0x00007FFCA6780000-0x00007FFCA7241000-memory.dmp

memory/2396-11-0x000000001BA30000-0x000000001BA80000-memory.dmp

memory/2396-12-0x000000001C2B0000-0x000000001C362000-memory.dmp

memory/2396-15-0x000000001BAB0000-0x000000001BAC2000-memory.dmp

memory/2396-16-0x000000001C230000-0x000000001C26C000-memory.dmp

memory/2396-17-0x00007FFCA6780000-0x00007FFCA7241000-memory.dmp