Malware Analysis Report

2025-04-13 12:12

Sample ID 240331-aztp8aba45
Target Client-built.exe
SHA256 f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2
Tags
ratted quasar spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

ratted quasar spyware trojan

Quasar family

Quasar payload

Quasar RAT

Executes dropped EXE

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-31 00:39

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-31 00:39

Reported

2024-03-31 01:09

Platform

win10-20240221-en

Max time kernel

1776s

Max time network

1777s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe

"C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
GB 140.238.91.110:44867 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 110.91.238.140.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 80.192.122.92.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp

Files

memory/168-0-0x0000000000700000-0x0000000000A24000-memory.dmp

memory/168-1-0x00007FF8D75C0000-0x00007FF8D7FAC000-memory.dmp

memory/168-2-0x000000001B830000-0x000000001B840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe

MD5 57045c2bf3377b12aa5abce21cc0a99d
SHA1 217202ed404f25fc550ad70fd7066b0fe8773ef9
SHA256 f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2
SHA512 9ab46cc194eeaabb75777457a01328f5a8d2ebf604efba0623575cf25c04e206e416ee72db17e3c92a9d363330f82fa3ce2aac64c2a4a61d4dce34d79b73366e

memory/168-8-0x00007FF8D75C0000-0x00007FF8D7FAC000-memory.dmp

memory/3044-9-0x00007FF8D75C0000-0x00007FF8D7FAC000-memory.dmp

memory/3044-10-0x000000001BB20000-0x000000001BB30000-memory.dmp

memory/3044-11-0x000000001C2A0000-0x000000001C2F0000-memory.dmp

memory/3044-12-0x000000001C3B0000-0x000000001C462000-memory.dmp

memory/3044-15-0x000000001C320000-0x000000001C332000-memory.dmp

memory/3044-16-0x000000001CEA0000-0x000000001CEDE000-memory.dmp

memory/3044-17-0x00007FF8D75C0000-0x00007FF8D7FAC000-memory.dmp

memory/3044-18-0x000000001BB20000-0x000000001BB30000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-31 00:39

Reported

2024-03-31 01:09

Platform

win10v2004-20240319-en

Max time kernel

1795s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe

"C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3680 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 216.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
GB 140.238.91.110:44867 tcp
US 8.8.8.8:53 110.91.238.140.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 216.58.214.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.214.58.216.in-addr.arpa udp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp

Files

memory/4276-0-0x0000000000790000-0x0000000000AB4000-memory.dmp

memory/4276-1-0x00007FFC40560000-0x00007FFC41021000-memory.dmp

memory/4276-2-0x000000001B780000-0x000000001B790000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe

MD5 57045c2bf3377b12aa5abce21cc0a99d
SHA1 217202ed404f25fc550ad70fd7066b0fe8773ef9
SHA256 f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2
SHA512 9ab46cc194eeaabb75777457a01328f5a8d2ebf604efba0623575cf25c04e206e416ee72db17e3c92a9d363330f82fa3ce2aac64c2a4a61d4dce34d79b73366e

memory/4276-9-0x00007FFC40560000-0x00007FFC41021000-memory.dmp

memory/4820-8-0x00007FFC40560000-0x00007FFC41021000-memory.dmp

memory/4820-10-0x00000000032C0000-0x00000000032D0000-memory.dmp

memory/4820-11-0x000000001C9F0000-0x000000001CA40000-memory.dmp

memory/4820-12-0x000000001CB00000-0x000000001CBB2000-memory.dmp

memory/4820-15-0x000000001CA80000-0x000000001CA92000-memory.dmp

memory/4820-16-0x000000001D200000-0x000000001D23C000-memory.dmp

memory/4820-17-0x00007FFC40560000-0x00007FFC41021000-memory.dmp

memory/4820-18-0x00000000032C0000-0x00000000032D0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-31 00:39

Reported

2024-03-31 01:09

Platform

win11-20240221-en

Max time kernel

1773s

Max time network

1803s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe

"C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Windows Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
GB 140.238.91.110:44867 tcp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 65.192.122.92.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp
GB 140.238.91.110:44867 tcp

Files

memory/3628-0-0x0000000000480000-0x00000000007A4000-memory.dmp

memory/3628-1-0x00007FFDE9FC0000-0x00007FFDEAA82000-memory.dmp

memory/3628-2-0x0000000002B70000-0x0000000002B80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Windows\WOS64UPD.exe

MD5 57045c2bf3377b12aa5abce21cc0a99d
SHA1 217202ed404f25fc550ad70fd7066b0fe8773ef9
SHA256 f2e04196e1353ad216e077e0aeb2e1ab8ee93b8b16b205422b4cc6d8adc50cc2
SHA512 9ab46cc194eeaabb75777457a01328f5a8d2ebf604efba0623575cf25c04e206e416ee72db17e3c92a9d363330f82fa3ce2aac64c2a4a61d4dce34d79b73366e

memory/3628-9-0x00007FFDE9FC0000-0x00007FFDEAA82000-memory.dmp

memory/4548-8-0x00007FFDE9FC0000-0x00007FFDEAA82000-memory.dmp

memory/4548-10-0x000000001BC20000-0x000000001BC30000-memory.dmp

memory/4548-11-0x000000001C720000-0x000000001C770000-memory.dmp

memory/4548-12-0x000000001C830000-0x000000001C8E2000-memory.dmp

memory/4548-15-0x000000001C7B0000-0x000000001C7C2000-memory.dmp

memory/4548-16-0x000000001D040000-0x000000001D07C000-memory.dmp

memory/4548-17-0x00007FFDE9FC0000-0x00007FFDEAA82000-memory.dmp

memory/4548-18-0x000000001BC20000-0x000000001BC30000-memory.dmp