Malware Analysis Report

2024-10-23 21:28

Sample ID 240412-cdlhtsca33
Target d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
SHA256 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
Tags
quasar office04 spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833

Threat Level: Known bad

The file d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833 was found to be: Known bad.

Malicious Activity Summary

quasar office04 spyware trojan

Quasar payload

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing common artifacts observed in infostealers

Quasar family

Quasar RAT

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing common artifacts observed in infostealers

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-12 01:57

Signatures

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-12 01:57

Reported

2024-04-12 02:00

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 0.tcp.eu.ngrok.io N/A N/A
N/A 0.tcp.eu.ngrok.io N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4168 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4168 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4168 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4168 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 216 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 216 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 216 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 216 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 1932 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1932 wrote to memory of 1200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1932 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1932 wrote to memory of 436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 1932 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1932 wrote to memory of 2656 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2656 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2656 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2656 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2656 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3444 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3444 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3444 wrote to memory of 1972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3444 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3444 wrote to memory of 2040 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 2040 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2040 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 2040 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 2040 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3376 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3376 wrote to memory of 988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3376 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3376 wrote to memory of 4524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 3376 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3376 wrote to memory of 3116 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3116 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3116 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3116 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 3116 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\cmd.exe
PID 4880 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4880 wrote to memory of 4652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 4880 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4880 wrote to memory of 3372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\PING.EXE
PID 4880 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4880 wrote to memory of 3920 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 3920 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3920 wrote to memory of 3192 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe

"C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\P29wcDMzS7DL.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cMD3IV4Ps0W2.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hRX0ROMF8Zwb.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujlL4gxfCVPw.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

Country Destination Domain Proto
N/A 10.10.8.36:4782 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.223.134:19992 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
N/A 10.10.8.36:4782 tcp
DE 3.125.223.134:19992 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 10.10.8.36:4782 tcp
US 8.8.8.8:53 0.tcp.eu.ngrok.io udp
DE 3.125.209.94:19992 0.tcp.eu.ngrok.io tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
N/A 10.10.8.36:4782 tcp
DE 3.125.209.94:19992 0.tcp.eu.ngrok.io tcp
N/A 10.10.8.36:4782 tcp

Files

memory/4168-0-0x00000000008C0000-0x0000000000BE4000-memory.dmp

memory/4168-1-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/4168-2-0x000000001B8A0000-0x000000001B8B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 3396e77d0d043554c7f857a1249c75fe
SHA1 d3de2678e85f4ad63e5254782a58a85035aafecc
SHA256 d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833
SHA512 3128c03a0465d03127cf6df186533993e2337dce8ca821d8dbcaecd08c7ff7a6d2646de150b7afbe20641e4eb08104342813dfd2fe50346c8b47d40deedc67a4

memory/216-10-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/4168-9-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/216-11-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

memory/216-12-0x000000001DEC0000-0x000000001DF10000-memory.dmp

memory/216-13-0x000000001DFD0000-0x000000001E082000-memory.dmp

memory/216-14-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/216-19-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\P29wcDMzS7DL.bat

MD5 0314432a628bbd8d833674f5526dc427
SHA1 c2ce0b0d4b6cdeb35cededbfbe73d873a774403e
SHA256 4125434c5b7fd433c387025ac3ca85bcedd32b587895013aae8dc8cf8f68048d
SHA512 142a47003c1580631785b6e00da0230beb0db0dd6202b062b6edfa3cf10b6b79c9782cb144c402c211726ba627b89bc5468a05ee3e45384e8ae5710ab930e224

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

MD5 8f0271a63446aef01cf2bfc7b7c7976b
SHA1 b70dad968e1dda14b55ad361b7fd4ef9ab6c06d7
SHA256 da740d78ae00b72cb3710d1a1256dc6431550965d20afaa65e5d5860a4748e8c
SHA512 78a403c69f1284b7dd41527019f3eede3512a5e4d439d846eca83557b741ca37bcf56c412f3e577b9dd4cfa5a6d6210961215f14cb271b143f6eb94f69389cf5

memory/2656-23-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/2656-24-0x000000001BB00000-0x000000001BB10000-memory.dmp

memory/2656-25-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/2656-26-0x000000001BB00000-0x000000001BB10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cMD3IV4Ps0W2.bat

MD5 e5d018107b44b3197157b04916915391
SHA1 33da08313fe9221e24eb812c6b5ed7dfa5f4ff5b
SHA256 b09c96eaadcf20ce9590d403e9e63c753e4007e24df6bd843c58723e41bd9cd4
SHA512 ee4af0dbe6c60933bfe84737f9361e9a7c5635f36f2a07e340afc39aa500ecf36554569de2d20073a7709d95cd4686d595ecdb7859eb8332a0aff04cd47cf173

memory/2656-31-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/2040-33-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/2040-34-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/2040-38-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hRX0ROMF8Zwb.bat

MD5 1c085d0b55fc1f77f875141850a73123
SHA1 3f6ed98606ebae3dd5ce0d9de8fbd76a5f8a2826
SHA256 9d2f5f0791a6f05cee240a6ed1b4e24ccb051256eea9911c6552452142bb4f82
SHA512 2e7f0430b55cb9e650c2b1fba5eb8945a38987557cdc5adf139b00bbe9e3081e5931181110bf6d15b61c5a46aabc4c1f11e4aacd75b7b5a163510618f3f67d6d

memory/3116-41-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/3116-42-0x0000000001100000-0x0000000001110000-memory.dmp

memory/3116-43-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/3116-44-0x0000000001100000-0x0000000001110000-memory.dmp

memory/3116-48-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ujlL4gxfCVPw.bat

MD5 0704a04d52602dd7ed66fde1ea8fda8b
SHA1 e67d0339c75e3d774bcdc8403236e980e25e326c
SHA256 223335bb67662945fecd70de2ccf2061a723e51e5a2aab0e270e114716dcf55a
SHA512 e192188a05a8caf69eef810a9c2c53bf7272289a083aaa65191e93557e5d52b2f6503abf7b2599f7db47cb947f6c47b820dab4322b35dc8f74cbf95f3268789c

memory/3920-51-0x00007FFF986A0000-0x00007FFF99161000-memory.dmp

memory/3920-52-0x0000000002D20000-0x0000000002D30000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-12 01:57

Reported

2024-04-12 02:00

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing common artifacts observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe

"C:\Users\Admin\AppData\Local\Temp\d543c38fb2f5f8e687d97cff1878a2e4e4ada846c3fb3df5e43e6f189da29833.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "Platonus" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

Network

N/A

Files

memory/1936-0-0x00000000001A0000-0x00000000004C4000-memory.dmp

memory/1936-1-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

memory/1936-2-0x0000000002430000-0x00000000024B0000-memory.dmp

memory/1936-4-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp

memory/1936-5-0x0000000002430000-0x00000000024B0000-memory.dmp