quasar | 651ed1a03871a47dcf548e56fe4cefb8862a89a27f01f2e377bd68dfe1ca531f

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18-04-2024 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hello.exe
Size

3.1MB
MD5

b92b7e16f21a97fbe21c4c45deb00587
SHA1

e4af65acfac45c31dceacdf9a2e1d18cde2537c2
SHA256

651ed1a03871a47dcf548e56fe4cefb8862a89a27f01f2e377bd68dfe1ca531f
SHA512

7c5813bf73ee7deca78774861b2632d4a0fb7b3b62996cc54ae0b16baa62a0f360f31fa810b73c5fc922321b6ce0807e69bc02e35f98d7f350086283f8836931
SSDEEP

49152:zvOlL26AaNeWgPhlmVqvMQ7XSK8Hzh7mzBSoGdtkTHHB72eh2NT:zv+L26AaNeWgPhlmVqkQ7XSK2zhv

Score

10^/10

quasar test spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Test

47.134.26.200:4782

193.161.193.99:23325

Mutex

9cabbafb-503b-49f1-ab22-adc756455c10

Attributes

encryption_key
8B93C77AC1C58EA80A3327E9FD26246A79EF3B8E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
MS Build Tools
subdirectory
Microsoft-Build-Tools

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/memory/3020-0-0x0000000000E40000-0x0000000001164000-memory.dmp	family_quasar
behavioral1/files/0x002a000000016453-5.dat	family_quasar
behavioral1/memory/2956-7-0x0000000000910000-0x0000000000C34000-memory.dmp	family_quasar

Executes dropped EXE 1 IoCs

pid	Process
2956	Client.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2672	schtasks.exe
2552	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	hello.exe
Token: SeDebugPrivilege	2956	Client.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2672	3020	hello.exe	28
PID 3020 wrote to memory of 2672	3020	hello.exe	28
PID 3020 wrote to memory of 2672	3020	hello.exe	28
PID 3020 wrote to memory of 2956	3020	hello.exe	30
PID 3020 wrote to memory of 2956	3020	hello.exe	30
PID 3020 wrote to memory of 2956	3020	hello.exe	30
PID 2956 wrote to memory of 2552	2956	Client.exe	31
PID 2956 wrote to memory of 2552	2956	Client.exe	31
PID 2956 wrote to memory of 2552	2956	Client.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\hello.exe
"C:\Users\Admin\AppData\Local\Temp\hello.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\schtasks.exe
  "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:2672
- C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "MS Build Tools" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft-Build-Tools\Client.exe

Filesize
3.1MB

MD5
b92b7e16f21a97fbe21c4c45deb00587

SHA1
e4af65acfac45c31dceacdf9a2e1d18cde2537c2

SHA256
651ed1a03871a47dcf548e56fe4cefb8862a89a27f01f2e377bd68dfe1ca531f

SHA512
7c5813bf73ee7deca78774861b2632d4a0fb7b3b62996cc54ae0b16baa62a0f360f31fa810b73c5fc922321b6ce0807e69bc02e35f98d7f350086283f8836931

Download Submit
memory/2956-7-0x0000000000910000-0x0000000000C34000-memory.dmp

Filesize
3.1MB

Download
memory/2956-9-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-10-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/2956-11-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/2956-12-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download
memory/3020-0-0x0000000000E40000-0x0000000001164000-memory.dmp

Filesize
3.1MB

Download
memory/3020-1-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download
memory/3020-2-0x000000001B240000-0x000000001B2C0000-memory.dmp

Filesize
512KB

Download
memory/3020-8-0x000007FEF5790000-0x000007FEF617C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads