quasar | 78e61085e07c0c08e8127b12da6c923a5d2e42929d86d84c82826ea43e2a1128

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-03-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

3.1MB
MD5

8eec6e82f824e964f6a6ae25f97c2b26
SHA1

dd746bd25682356e5a73d0f447e3d0de6907d33d
SHA256

78e61085e07c0c08e8127b12da6c923a5d2e42929d86d84c82826ea43e2a1128
SHA512

f3d6b88f449ff1532b0177f1cd5e940163101a834f8faba1cd4131c72b56c2c75b98aac6568addc933852e0e59decdf999266dc15b86a330daf74acdeb53774d
SSDEEP

49152:yvht62XlaSFNWPjljiFa2RoUYIU+qXBxHeoGdzTHHB72eh2NT:yvL62XlaSFNWPjljiFXRoUYIJqK

Score

10^/10

quasar slave spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Slave

140.238.91.110:45359

Mutex

f8ed2643-0827-4252-bfbe-ca79f67643cb

Attributes

encryption_key
52BB87E2CC96F5243DED8FFD41978ED5C07DF11C
install_name
Steam.exe
log_directory
Error Logs
reconnect_delay
3000
startup_key
svchost
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/940-0-0x0000000000C40000-0x0000000000F64000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe	family_quasar

Executes dropped EXE 1 IoCs

Processes:

Steam.exe

pid process

4292 Steam.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1716 schtasks.exe
2144 schtasks.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Client.exeSteam.exe

description pid process

Token: SeDebugPrivilege 940 Client.exe
Token: SeDebugPrivilege 4292 Steam.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Steam.exe

pid process

4292 Steam.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Steam.exe

pid process

4292 Steam.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Steam.exe

pid process

4292 Steam.exe

pid	process
4292	Steam.exe

pid	process
1716	schtasks.exe
2144	schtasks.exe

description	pid	process
Token: SeDebugPrivilege	940	Client.exe
Token: SeDebugPrivilege	4292	Steam.exe

pid	process
4292	Steam.exe

pid	process
4292	Steam.exe

pid	process
4292	Steam.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

Client.exeSteam.exe

description	pid	process	target process
PID 940 wrote to memory of 1716	940	Client.exe	schtasks.exe
PID 940 wrote to memory of 1716	940	Client.exe	schtasks.exe
PID 940 wrote to memory of 4292	940	Client.exe	Steam.exe
PID 940 wrote to memory of 4292	940	Client.exe	Steam.exe
PID 4292 wrote to memory of 2144	4292	Steam.exe	schtasks.exe
PID 4292 wrote to memory of 2144	4292	Steam.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1716

C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "svchost" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\SubDir\Steam.exe
Filesize
3.1MB

MD5
8eec6e82f824e964f6a6ae25f97c2b26

SHA1
dd746bd25682356e5a73d0f447e3d0de6907d33d

SHA256
78e61085e07c0c08e8127b12da6c923a5d2e42929d86d84c82826ea43e2a1128

SHA512
f3d6b88f449ff1532b0177f1cd5e940163101a834f8faba1cd4131c72b56c2c75b98aac6568addc933852e0e59decdf999266dc15b86a330daf74acdeb53774d

Download Submit
memory/940-0-0x0000000000C40000-0x0000000000F64000-memory.dmp

Filesize
3.1MB

Download
memory/940-1-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

Filesize
10.8MB

Download
memory/940-2-0x0000000003060000-0x0000000003070000-memory.dmp

Filesize
64KB

Download
memory/940-10-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-9-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-11-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4292-12-0x000000001C530000-0x000000001C580000-memory.dmp

Filesize
320KB

Download
memory/4292-13-0x000000001C640000-0x000000001C6F2000-memory.dmp

Filesize
712KB

Download
memory/4292-14-0x00007FF9F7000000-0x00007FF9F7AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4292-15-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download