quasar | ddea59e0fb05fcb26243ecca3be6f8e3bac329ef32b774a66420439d609c3e52

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chaos_V3_2/Chaos_V3 (2)/Chaos V3/Chaos Launcher V3.exe
Size

37.8MB
MD5

719fd2b752f99f9ad1da3e2f439ec717
SHA1

900a578b55324712b3fc2edc8b44c6f336932849
SHA256

a12504ad741383782b4e0ef4cc808903195484080f5770966aceb1d117b09697
SHA512

b1822f059810e50a072fcd871e81b2c5d83eaf343f7322384ad34013bed3f4d6a98ed6d37c1840dfc03a925eb334981911b86de534903a941346fcac3b820601
SSDEEP

786432:SulzfQX0ZlAime/FtbB9lNdnl8/A539IyPA:bQXknme/FhB9PtgA539IyPA

Score

10^/10

quasar office04 pyinstaller spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

192.168.0.78:4782

Mutex

4616ad00-4709-44bd-a2b4-9a61d621574d

Attributes

encryption_key
DDE23047BCC4F649ACA444E89F2DBB5D52A3004D
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral3/files/0x000500000001c83f-132.dat	family_quasar
behavioral3/memory/2644-170-0x00000000002A0000-0x00000000005C4000-memory.dmp	family_quasar
behavioral3/memory/692-289-0x00000000010E0000-0x0000000001404000-memory.dmp	family_quasar

Executes dropped EXE 8 IoCs

pid	Process
1636	Chaos Launcher V3.exe
2920	Loader.exe
832	Loader.exe
1464	main.exe
2644	ChaosUPD.exe
1352	main.exe
1200	Process not Found
692	Client.exe

Loads dropped DLL 8 IoCs

pid	Process
2776	Chaos Launcher V3.exe
2776	Chaos Launcher V3.exe
2920	Loader.exe
832	Loader.exe
1464	main.exe
1352	main.exe
1200	Process not Found
1200	Process not Found

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x000500000001a459-126.dat	upx
behavioral3/memory/832-140-0x000007FEF2860000-0x000007FEF2CCE000-memory.dmp	upx
behavioral3/files/0x000400000001cc33-275.dat	upx
behavioral3/memory/1352-278-0x000007FEEDDA0000-0x000007FEEE20E000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x0009000000015c23-12.dat	pyinstaller
behavioral3/files/0x000500000001a453-96.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe
1588	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2832	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	Chaos Launcher V3.exe
Token: SeDebugPrivilege	2644	ChaosUPD.exe
Token: SeDebugPrivilege	692	Client.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	1636	Chaos Launcher V3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
692	Client.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
692	Client.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
692	Client.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1636	2776	Chaos Launcher V3.exe	28
PID 2776 wrote to memory of 1636	2776	Chaos Launcher V3.exe	28
PID 2776 wrote to memory of 1636	2776	Chaos Launcher V3.exe	28
PID 2776 wrote to memory of 2920	2776	Chaos Launcher V3.exe	29
PID 2776 wrote to memory of 2920	2776	Chaos Launcher V3.exe	29
PID 2776 wrote to memory of 2920	2776	Chaos Launcher V3.exe	29
PID 2920 wrote to memory of 832	2920	Loader.exe	31
PID 2920 wrote to memory of 832	2920	Loader.exe	31
PID 2920 wrote to memory of 832	2920	Loader.exe	31
PID 2776 wrote to memory of 1464	2776	Chaos Launcher V3.exe	30
PID 2776 wrote to memory of 1464	2776	Chaos Launcher V3.exe	30
PID 2776 wrote to memory of 1464	2776	Chaos Launcher V3.exe	30
PID 2776 wrote to memory of 2644	2776	Chaos Launcher V3.exe	32
PID 2776 wrote to memory of 2644	2776	Chaos Launcher V3.exe	32
PID 2776 wrote to memory of 2644	2776	Chaos Launcher V3.exe	32
PID 1464 wrote to memory of 1352	1464	main.exe	33
PID 1464 wrote to memory of 1352	1464	main.exe	33
PID 1464 wrote to memory of 1352	1464	main.exe	33
PID 2644 wrote to memory of 2880	2644	ChaosUPD.exe	35
PID 2644 wrote to memory of 2880	2644	ChaosUPD.exe	35
PID 2644 wrote to memory of 2880	2644	ChaosUPD.exe	35
PID 2644 wrote to memory of 692	2644	ChaosUPD.exe	37
PID 2644 wrote to memory of 692	2644	ChaosUPD.exe	37
PID 2644 wrote to memory of 692	2644	ChaosUPD.exe	37
PID 1636 wrote to memory of 2832	1636	Chaos Launcher V3.exe	38
PID 1636 wrote to memory of 2832	1636	Chaos Launcher V3.exe	38
PID 1636 wrote to memory of 2832	1636	Chaos Launcher V3.exe	38
PID 692 wrote to memory of 1588	692	Client.exe	40
PID 692 wrote to memory of 1588	692	Client.exe	40
PID 692 wrote to memory of 1588	692	Client.exe	40
PID 1636 wrote to memory of 2680	1636	Chaos Launcher V3.exe	42
PID 1636 wrote to memory of 2680	1636	Chaos Launcher V3.exe	42
PID 1636 wrote to memory of 2680	1636	Chaos Launcher V3.exe	42

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe
"C:\Users\Admin\AppData\Local\Temp\Chaos_V3_2\Chaos_V3 (2)\Chaos V3\Chaos Launcher V3.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe
  "C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Chaos Launcher V3.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2680
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:832
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\main.exe
    "C:\Users\Admin\AppData\Local\Temp\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1352
- C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe
  "C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\schtasks.exe
    "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:2880
- - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
    "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\schtasks.exe
      "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
      4⤵
      Creates scheduled task(s)
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Chaos Launcher V3.exe

Filesize
265KB

MD5
5cc694e159b34a66c68512e333772427

SHA1
56a1167290c880b7c581e4ffe904865d443dd6b3

SHA256
1eaa491f5252f5e36c3e6f4955e42ce738f2ac11ab476efb4b9cbbf62982740e

SHA512
efe956122aa35c481422c3b0d33afa3ca5e6faecb5aa7e771320070d43c07fed141038754ca025ed703c066f8a5782330b82b263bca2afaa0f549c444a1ab87d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ChaosUPD.exe

Filesize
3.1MB

MD5
cf19f3097c3605dcb9fe14283b318622

SHA1
2300f90815b44685ea480622cdce31b82c0d429e

SHA256
b7438077689006b12262914245e04bc67e7c4cbacda3aa99f100a894d33fd43a

SHA512
12a9c62e0bf5ebeaa1f104979cf1a3477b4e0b455ff2cf413cdc43589f91c3bcccc1a3b54cd7cf463ff9aff481a870425c7b2e3738be27187a7cb71b38f0ef69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14642\attrs-23.1.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14642\python310.dll

Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29202\python310.dll

Filesize
1.4MB

MD5
bbcb74867bd3f8a691b1f0a394336908

SHA1
aea4b231b9f09bedcd5ce02e1962911edd4b35ad

SHA256
800b5e9a08c3a0f95a2c6f4a3355df8bbbc416e716f95bd6d42b6f0d6fb92f41

SHA512
00745ddd468504b3652bdda757d42ebe756e419d6432ceb029ed3ccde3b99c8ae21b4fc004938bb0babaa169768db385374b29ac121608c5630047e55c40f481

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed9165339304a4f8aad66c8d940a4ac4

SHA1
4cf4b6177d91a53829fe94818cecf4f790ed1477

SHA256
777a174053f7845104e5ca94c7b2a8a6aaa878fa0b3210bc4cd43877f51f24eb

SHA512
a7b15332330a6a62c042293b508bdaeef2c22287de9e40ae99013690d347931f11b180065975fcab02a1aff493eee02646728e76c4d46755566458d790d80c07

Download Submit
\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
16.1MB

MD5
137c2a6610b55f77004ff0bb52bb12e2

SHA1
202e8bce20e5b2b0341f5cc2c8767881717b7022

SHA256
0cb19bda3eafb8edae3d7902e8af0bf2a7896c225669c338565423f63558d841

SHA512
75fa9eb00ba2f8d49c606e9d508c0ec5e6d372edc31d56736a0a60e24454643e16709f0da915f066aaf42ea6d78163ff923ff5449d3e7549f44b7cf8dc1a83df

Download Submit
\Users\Admin\AppData\Local\Temp\main.exe

Filesize
20.7MB

MD5
c6d3097d7f4377fdb93ed93e8453bb5c

SHA1
da30212e78d079ded3d68711ef8e1367958406c1

SHA256
ef5a50b9159ab00cee86e16962495beaf7f0c60f5464e8b7786abc5edeec3b2e

SHA512
903dc8441e1373862a24a7f55ceeb2b7d1ea71b098fff07e2b51218dbabae743cc71f1865fccdac49668ac913e384196476b4c294b8d267b33fd05f98caad604

Download Submit
memory/692-453-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/692-290-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/692-289-0x00000000010E0000-0x0000000001404000-memory.dmp

Filesize
3.1MB

Download
memory/692-287-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/692-557-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/832-140-0x000007FEF2860000-0x000007FEF2CCE000-memory.dmp

Filesize
4.4MB

Download
memory/1352-278-0x000007FEEDDA0000-0x000007FEEE20E000-memory.dmp

Filesize
4.4MB

Download
memory/1636-8-0x0000000000390000-0x00000000003DC000-memory.dmp

Filesize
304KB

Download
memory/1636-279-0x000000001AEE0000-0x000000001AF60000-memory.dmp

Filesize
512KB

Download
memory/1636-314-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-9-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-276-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/2644-172-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-288-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-170-0x00000000002A0000-0x00000000005C4000-memory.dmp

Filesize
3.1MB

Download
memory/2680-308-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2680-315-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2680-319-0x000007FEED100000-0x000007FEEDA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-317-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2680-316-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2680-313-0x000007FEED100000-0x000007FEEDA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-311-0x0000000002680000-0x0000000002700000-memory.dmp

Filesize
512KB

Download
memory/2680-310-0x000007FEED100000-0x000007FEEDA9D000-memory.dmp

Filesize
9.6MB

Download
memory/2680-309-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2776-0-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-173-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-2-0x0000000002A40000-0x0000000002AC0000-memory.dmp

Filesize
512KB

Download
memory/2776-1-0x0000000000340000-0x0000000002914000-memory.dmp

Filesize
37.8MB

Download
memory/2832-295-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2832-297-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-302-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-299-0x00000000026F4000-0x00000000026F7000-memory.dmp

Filesize
12KB

Download
memory/2832-300-0x00000000026FB000-0x0000000002762000-memory.dmp

Filesize
412KB

Download
memory/2832-296-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2832-301-0x000007FEED400000-0x000007FEEDD9D000-memory.dmp

Filesize
9.6MB

Download
memory/2832-298-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download