Malware Analysis Report

2024-10-23 21:29

Sample ID 240407-wd133aab7w
Target Client-built.exe
SHA256 d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar family

Quasar RAT

Quasar payload

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:49

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:49

Reported

2024-04-07 17:50

Platform

win7-20240221-en

Max time kernel

79s

Max time network

84s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A
N/A 2.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp

Files

memory/2176-0-0x00000000013B0000-0x00000000016D4000-memory.dmp

memory/2176-1-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/2176-2-0x000000001B310000-0x000000001B390000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 145193333e64b74823c421d26f035480
SHA1 f9919b3e81793fc5ccfb48dff30606c08523361c
SHA256 d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
SHA512 353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a

memory/2612-7-0x0000000000870000-0x0000000000B94000-memory.dmp

memory/2176-8-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/2612-9-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/2612-10-0x000000001AF20000-0x000000001AFA0000-memory.dmp

memory/2612-11-0x000007FEF57A0000-0x000007FEF618C000-memory.dmp

memory/2612-12-0x000000001AF20000-0x000000001AFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:49

Reported

2024-04-07 17:49

Platform

win10v2004-20240226-en

Max time kernel

37s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Windows\system32\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 2.tcp.eu.ngrok.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
File opened for modification C:\Windows\system32\SubDir\Client.exe C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "54" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\SubDir\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\shutdown.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\SubDir\Client.exe N/A
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\SubDir\Client.exe

"C:\Windows\system32\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Windows\system32\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39bd055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.tcp.eu.ngrok.io udp
DE 3.127.138.57:16096 2.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 57.138.127.3.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

memory/2656-0-0x0000000000690000-0x00000000009B4000-memory.dmp

memory/2656-1-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp

memory/2656-2-0x0000000001200000-0x0000000001210000-memory.dmp

C:\Windows\System32\SubDir\Client.exe

MD5 145193333e64b74823c421d26f035480
SHA1 f9919b3e81793fc5ccfb48dff30606c08523361c
SHA256 d57cd430c390790a495769b537242d522c25dbec4b01acf7f47b992882c37bfa
SHA512 353b4e0f96f95b0ba553aaecb4b27e53c6d9fe9625547e2d614820aecd4a5103fb1b7a42d0e4eac055404c384e00ee7d046167f86f6743c374a2a9f5813aaf0a

memory/3752-9-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp

memory/2656-8-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp

memory/3752-10-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3752-11-0x000000001AFA0000-0x000000001AFF0000-memory.dmp

memory/3752-12-0x000000001B940000-0x000000001B9F2000-memory.dmp

memory/3752-15-0x000000001B130000-0x000000001B142000-memory.dmp

memory/3752-16-0x000000001B8C0000-0x000000001B8FC000-memory.dmp

memory/3752-17-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp

memory/3752-19-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3752-18-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3752-20-0x000000001B180000-0x000000001B190000-memory.dmp

memory/3752-22-0x00007FFB77430000-0x00007FFB77EF1000-memory.dmp