Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 03:28
Behavioral task
behavioral1
Sample
HEUR-Trojan.MSIL.Quasar.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
HEUR-Trojan.MSIL.Quasar.exe
Resource
win10v2004-20240412-en
General
-
Target
HEUR-Trojan.MSIL.Quasar.exe
-
Size
3.4MB
-
MD5
a585d666df5ca83eabcd06a4f0364523
-
SHA1
4f5d8d09aaaf33efda276c3f7ab9883eda146da6
-
SHA256
788c859458ab91850978e27a2591b564e5e3200eede844362bf465944db9d92c
-
SHA512
4cd1aa6c0c15264cf00feed59552e6bd1ce663af54d5fe27ac193d8af77abd23522938166ec0318482dbee6c78a6cc97f1e75a1ea148390da7c2aee6a3bca544
-
SSDEEP
49152:qvFt62XlaSFNWPjljiFa2RoUYIe5UU88DoGdWTHHB72eh2NTF:qv362XlaSFNWPjljiFXRoUYIIUU8E9
Malware Config
Extracted
quasar
1.4.1
Office04
85.219.48.223:6969
dd7993dd-3ead-48cf-ab1a-635718753276
-
encryption_key
DC9E2A3C163F32C37AC47FC14DF7F94F33786801
-
install_name
Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
:)
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2040-0-0x0000000000FA0000-0x0000000001306000-memory.dmp family_quasar C:\Users\Admin\AppData\Roaming\SubDir\Client.exe family_quasar -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2040-0-0x0000000000FA0000-0x0000000001306000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2040-0-0x0000000000FA0000-0x0000000001306000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables containing common artifacts observed in infostealers 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2040-0-0x0000000000FA0000-0x0000000001306000-memory.dmp INDICATOR_SUSPICIOUS_GENInfoStealer C:\Users\Admin\AppData\Roaming\SubDir\Client.exe INDICATOR_SUSPICIOUS_GENInfoStealer -
Executes dropped EXE 1 IoCs
Processes:
Client.exepid process 2796 Client.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Client.exeHEUR-Trojan.MSIL.Quasar.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:) = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" Client.exe Set value (str) \REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:) = "\"C:\\Users\\Admin\\AppData\\Roaming\\SubDir\\Client.exe\"" HEUR-Trojan.MSIL.Quasar.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4780 schtasks.exe 4196 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
HEUR-Trojan.MSIL.Quasar.exeClient.exedescription pid process Token: SeDebugPrivilege 2040 HEUR-Trojan.MSIL.Quasar.exe Token: SeDebugPrivilege 2796 Client.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Client.exepid process 2796 Client.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Client.exepid process 2796 Client.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
HEUR-Trojan.MSIL.Quasar.exeClient.exedescription pid process target process PID 2040 wrote to memory of 4780 2040 HEUR-Trojan.MSIL.Quasar.exe schtasks.exe PID 2040 wrote to memory of 4780 2040 HEUR-Trojan.MSIL.Quasar.exe schtasks.exe PID 2040 wrote to memory of 2796 2040 HEUR-Trojan.MSIL.Quasar.exe Client.exe PID 2040 wrote to memory of 2796 2040 HEUR-Trojan.MSIL.Quasar.exe Client.exe PID 2796 wrote to memory of 4196 2796 Client.exe schtasks.exe PID 2796 wrote to memory of 4196 2796 Client.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Quasar.exe"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.MSIL.Quasar.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn ":)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f2⤵
- Creates scheduled task(s)
PID:4780 -
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn ":)" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f3⤵
- Creates scheduled task(s)
PID:4196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5a585d666df5ca83eabcd06a4f0364523
SHA14f5d8d09aaaf33efda276c3f7ab9883eda146da6
SHA256788c859458ab91850978e27a2591b564e5e3200eede844362bf465944db9d92c
SHA5124cd1aa6c0c15264cf00feed59552e6bd1ce663af54d5fe27ac193d8af77abd23522938166ec0318482dbee6c78a6cc97f1e75a1ea148390da7c2aee6a3bca544