Malware Analysis Report

2025-04-13 12:14

Sample ID 240330-crz85sfg39
Target c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe
SHA256 c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582
Tags
quasar 50 installs spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582

Threat Level: Known bad

The file c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe was found to be: Known bad.

Malicious Activity Summary

quasar 50 installs spyware trojan

Detects Windows executables referencing non-Windows User-Agents

Quasar family

Detects executables containing common artifacts observed in infostealers

Quasar payload

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Quasar RAT

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing common artifacts observed in infostealers

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 02:19

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 02:19

Reported

2024-03-30 02:21

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe C:\Windows\system32\schtasks.exe
PID 2376 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe C:\Windows\system32\schtasks.exe
PID 2376 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe C:\Windows\system32\schtasks.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
PID 2376 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe
PID 2992 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe C:\Windows\system32\schtasks.exe
PID 2992 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe

"C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
N/A 127.0.0.1:1313 tcp
NL 217.63.234.90:4444 tcp

Files

memory/2376-0-0x00000000002B0000-0x00000000005D4000-memory.dmp

memory/2376-1-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

memory/2376-2-0x000000001B430000-0x000000001B4B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

MD5 c4497b459274cec0b9fd6e3ac6c67aaa
SHA1 1c8b8e42b8284b6dc2d2741850a9c01c07a5088f
SHA256 c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582
SHA512 bf64fd7a95dedd703a04cf661b35ebaa343dd7b2e907d1de20d16bcb91259b76ba9f80a817d391487eb5c4f549658ba545673b3b3f26cc45e0a16fecfff01c24

memory/2376-9-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

memory/2992-10-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

memory/2992-11-0x000000001AF00000-0x000000001AF80000-memory.dmp

memory/2992-8-0x0000000000BF0000-0x0000000000F14000-memory.dmp

memory/2992-12-0x000007FEF5870000-0x000007FEF625C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 02:19

Reported

2024-03-30 02:21

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe

"C:\Users\Admin\AppData\Local\Temp\c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

"C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost.exe" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 201.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 217.63.234.90:4444 tcp
NL 217.63.234.90:1313 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.234.63.217.in-addr.arpa udp
US 8.8.8.8:53 73.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 219.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 152.141.79.40.in-addr.arpa udp

Files

memory/2376-0-0x0000000000B70000-0x0000000000E94000-memory.dmp

memory/2376-1-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

memory/2376-2-0x000000001B9E0000-0x000000001B9F0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\svchost.exe

MD5 c4497b459274cec0b9fd6e3ac6c67aaa
SHA1 1c8b8e42b8284b6dc2d2741850a9c01c07a5088f
SHA256 c88caddc2a450135e7f7d36d8b9857628b96f97b67d782025b229034d34f9582
SHA512 bf64fd7a95dedd703a04cf661b35ebaa343dd7b2e907d1de20d16bcb91259b76ba9f80a817d391487eb5c4f549658ba545673b3b3f26cc45e0a16fecfff01c24

memory/2376-10-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

memory/2168-9-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp

memory/2168-11-0x000000001AFB0000-0x000000001B000000-memory.dmp

memory/2168-12-0x000000001CC00000-0x000000001CCB2000-memory.dmp

memory/2168-15-0x000000001C380000-0x000000001C392000-memory.dmp

memory/2168-16-0x000000001D500000-0x000000001D53C000-memory.dmp

memory/2168-17-0x00007FFBD9580000-0x00007FFBDA041000-memory.dmp