quasar | 4571773a3e6ad8353ea567bdc05858a3cc8190ff8fbd40a5c844514bbbf0e6a8

Analysis

max time kernel
159s
max time network
168s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
26/03/2024, 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Microsoft Edge.exe
Size

3.2MB
MD5

0e44355a17e4f66fb5b41acad632bb1b
SHA1

ce7b6aa56b5dae9ff102a37000473239ea63c222
SHA256

4571773a3e6ad8353ea567bdc05858a3cc8190ff8fbd40a5c844514bbbf0e6a8
SHA512

b9d0e0c17774731eb23a56f01f05f4977cf2fb5c8922af38552bef4051ec578e6d3ddf038c94e0ede3986005260dbdb4458dc01a28ff8b3f665b32b6f471459f
SSDEEP

49152:8vBt62XlaSFNWPjljiFa2RoUYIpsivoGdt0THHB72eh2NT9:8vr62XlaSFNWPjljiFXRoUYIps29

Score

10^/10

quasar leo spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Leo

192.168.178.103:42069

Mutex

d48a83a9-fbfc-4973-b9da-e23962f730b0

Attributes

encryption_key
4C3EB5E019E09906D9FE073B58F6E628B0707200
install_name
msedge.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Microsoft Edge
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral2/memory/3168-0-0x0000000000690000-0x00000000009C4000-memory.dmp	family_quasar
behavioral2/files/0x0002000000029d5f-8.dat	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
132	msedge.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SubDir\msedge.exe	msedge.exe
File opened for modification	C:\Windows\system32\SubDir	msedge.exe
File created	C:\Windows\system32\SubDir\msedge.exe	Microsoft Edge.exe
File opened for modification	C:\Windows\system32\SubDir\msedge.exe	Microsoft Edge.exe
File opened for modification	C:\Windows\system32\SubDir	Microsoft Edge.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
888	schtasks.exe
4524	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3168	Microsoft Edge.exe
Token: SeDebugPrivilege	132	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
132	msedge.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 888	3168	Microsoft Edge.exe	80
PID 3168 wrote to memory of 888	3168	Microsoft Edge.exe	80
PID 3168 wrote to memory of 132	3168	Microsoft Edge.exe	82
PID 3168 wrote to memory of 132	3168	Microsoft Edge.exe	82
PID 132 wrote to memory of 4524	132	msedge.exe	83
PID 132 wrote to memory of 4524	132	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Edge.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Microsoft Edge" /sc ONLOGON /tr "C:\Windows\system32\SubDir\msedge.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:888
- C:\Windows\system32\SubDir\msedge.exe
  "C:\Windows\system32\SubDir\msedge.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:132
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Microsoft Edge" /sc ONLOGON /tr "C:\Windows\system32\SubDir\msedge.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\SubDir\msedge.exe

Filesize
3.2MB

MD5
0e44355a17e4f66fb5b41acad632bb1b

SHA1
ce7b6aa56b5dae9ff102a37000473239ea63c222

SHA256
4571773a3e6ad8353ea567bdc05858a3cc8190ff8fbd40a5c844514bbbf0e6a8

SHA512
b9d0e0c17774731eb23a56f01f05f4977cf2fb5c8922af38552bef4051ec578e6d3ddf038c94e0ede3986005260dbdb4458dc01a28ff8b3f665b32b6f471459f

Download Submit
memory/132-10-0x00007FFDDB2E0000-0x00007FFDDBDA2000-memory.dmp

Filesize
10.8MB

Download
memory/132-11-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/132-12-0x000000001B9A0000-0x000000001B9F0000-memory.dmp

Filesize
320KB

Download
memory/132-13-0x000000001C4D0000-0x000000001C582000-memory.dmp

Filesize
712KB

Download
memory/132-14-0x00007FFDDB2E0000-0x00007FFDDBDA2000-memory.dmp

Filesize
10.8MB

Download
memory/132-15-0x000000001BA00000-0x000000001BA10000-memory.dmp

Filesize
64KB

Download
memory/3168-0-0x0000000000690000-0x00000000009C4000-memory.dmp

Filesize
3.2MB

Download
memory/3168-1-0x00007FFDDB2E0000-0x00007FFDDBDA2000-memory.dmp

Filesize
10.8MB

Download
memory/3168-2-0x000000001B760000-0x000000001B770000-memory.dmp

Filesize
64KB

Download
memory/3168-9-0x00007FFDDB2E0000-0x00007FFDDBDA2000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads