Malware Analysis Report

2025-04-13 12:14

Sample ID 240330-meqjaadh42
Target nyMr9D3bkD.rar
SHA256 ca46530a37639b1994d97ebe3b47d002247dc87b98f15401f4b0356a56bfc94d
Tags
quasar nymr9d3bkd spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca46530a37639b1994d97ebe3b47d002247dc87b98f15401f4b0356a56bfc94d

Threat Level: Known bad

The file nyMr9D3bkD.rar was found to be: Known bad.

Malicious Activity Summary

quasar nymr9d3bkd spyware trojan

Quasar payload

Quasar RAT

Quasar family

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-30 10:22

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-30 10:22

Reported

2024-03-30 10:54

Platform

win11-20240221-en

Max time kernel

1789s

Max time network

1802s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-160263616-143223877-1356318919-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD.rar"

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe

"C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe

"C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 loader.live udp
RU 185.149.120.169:80 loader.live tcp
N/A 192.168.0.24:4782 tcp
RU 185.149.120.169:443 loader.live tcp
N/A 127.0.0.1:49769 tcp
N/A 127.0.0.1:49774 tcp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
N/A 192.168.0.24:4782 tcp
GB 104.86.110.106:443 tcp
US 8.8.8.8:53 browser.pipe.aria.microsoft.com udp
US 52.168.117.171:443 browser.pipe.aria.microsoft.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
GB 2.18.66.59:443 www.bing.com tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp
N/A 192.168.0.24:4782 tcp

Files

C:\Users\Admin\Desktop\nyMr9D3bkD\krampus more like kracked.exe

MD5 236ce233b606ae8a5c0d9718c41e1025
SHA1 391cbbda35a59fcda95e751bb9398bb86db904b9
SHA256 49376d9766f6944866c5d917905a57b9e41bf100457fd3d9b389f6c3c0abbb92
SHA512 1bdf7f4ae94f4a3b82fcaafc8a5bd2187e00ad466793481e59dfe90afee2e5730e59e49d009d629930b903a44d11e029120fa5e8203e0ea8b1ab2496b7a1e793

memory/3056-8-0x00000000001F0000-0x000000000051C000-memory.dmp

memory/3056-10-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

memory/3056-9-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

memory/3056-16-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

memory/2840-17-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

memory/2840-18-0x0000000001380000-0x0000000001390000-memory.dmp

C:\Users\Admin\Desktop\nyMr9D3bkD\b9RCiDQEqT.exe

MD5 5617f3c2904f7376fc9b8da1e98ec8db
SHA1 0b46078d6f0ecda18a52346ffdc59ebe37711548
SHA256 adb05152e06fe820ad357b596e359c8a6f219f1024393d2168fba4b497b7df04
SHA512 56a3a647fec403a0512afb1b5dd5ac89482f9c916bdebabc98db550950f77dbd0aaf544b4014c008b460de4f84d8f2bae8fe02147a461d08cf01115272ccb008

memory/2840-20-0x0000000002D40000-0x0000000002D90000-memory.dmp

memory/2840-21-0x000000001C4E0000-0x000000001C592000-memory.dmp

memory/2840-23-0x00007FFEDA580000-0x00007FFEDB042000-memory.dmp

memory/2840-24-0x0000000001380000-0x0000000001390000-memory.dmp

memory/2840-25-0x000000001CE20000-0x000000001D348000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-30 10:22

Reported

2024-03-30 10:54

Platform

win11-20240221-en

Max time kernel

447s

Max time network

1172s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\b9RCiDQEqT.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\b9RCiDQEqT.exe

"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\b9RCiDQEqT.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 loader.live udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.149.120.169:80 loader.live tcp
RU 185.149.120.169:443 loader.live tcp
N/A 127.0.0.1:49756 tcp
N/A 127.0.0.1:49759 tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 9.143.101.95.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-30 10:22

Reported

2024-03-30 10:54

Platform

win11-20240221-en

Max time kernel

431s

Max time network

1156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe

"C:\Users\Admin\AppData\Local\Temp\nyMr9D3bkD\krampus more like kracked.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Files

memory/3572-0-0x0000000000E20000-0x000000000114C000-memory.dmp

memory/3572-1-0x00007FFF05740000-0x00007FFF06202000-memory.dmp

memory/3572-2-0x000000001BD60000-0x000000001BD70000-memory.dmp

memory/3572-4-0x00007FFF05740000-0x00007FFF06202000-memory.dmp

memory/3572-5-0x000000001BD60000-0x000000001BD70000-memory.dmp