quasar | 8904d96a473dd52cd5255e046d47148eb27cc778395fff4f220bbb9509f643d8

Analysis

max time kernel
364s
max time network
364s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IDTOIPBYR_0.exe
Size

413KB
MD5

aabcedbac7ad8b10993f6de878be1ba4
SHA1

be8ea58edc1e83ebf33fe0e87a29916e9c554426
SHA256

4466cd4392c0fa3c49979664630db1b607e129c858fd44507cf5fc6b5b9dd3ba
SHA512

5a2bb094997699335a149ca353dc5e98e66482aa9dadc52502068337760bbd65bd648b3935777f4424e9811705657bcd2eb38254d731d892256d578c1f1eaf66
SSDEEP

6144:2gmEjkzQT1TVNSeE7E11zVeusnib8YoVHR8z0n7kgpMRqZGe:T1TVVXEo13eusHnVH9pMRWGe

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

Office04

147.185.221.19:33587

Mutex

$Sxr-lG7PreqFKmNhJc0CKS

Attributes

encryption_key
11fnZjAdVB1EIQVhl7wn
install_name
DLLrunhost.exe
log_directory
UpdLogs
reconnect_delay
3000
startup_key
WindowsAudioHelper
subdirectory
Windows

Signatures

Quasar RAT 3 IoCs
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Processes:

schtasks.exe

flow ioc

2 ip-api.com
4 ip-api.com
2688 schtasks.exe

flow	ioc
2	ip-api.com
4	ip-api.com
2688	schtasks.exe

Quasar payload 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/2288-0-0x0000000000D10000-0x0000000000D7E000-memory.dmp	family_quasar
\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe	family_quasar
behavioral9/memory/2540-10-0x0000000000AC0000-0x0000000000B2E000-memory.dmp	family_quasar

Drops file in Drivers directory 2 IoCs

Processes:

DLLrunhost.exeIDTOIPBYR_0.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	DLLrunhost.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	IDTOIPBYR_0.exe

Executes dropped EXE 1 IoCs

Processes:

DLLrunhost.exe

pid process

2540 DLLrunhost.exe
Loads dropped DLL 1 IoCs

Processes:

IDTOIPBYR_0.exe

pid process

2288 IDTOIPBYR_0.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
2 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeSCHTASKS.exeschtasks.exeSCHTASKS.exe

pid process

2688 schtasks.exe
2408 SCHTASKS.exe
2620 schtasks.exe
1564 SCHTASKS.exe
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

2420 ipconfig.exe
2444 ipconfig.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1520 PING.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2692 powershell.exe
1616 powershell.exe

pid	process
2540	DLLrunhost.exe

pid	process
2288	IDTOIPBYR_0.exe

flow	ioc
4	ip-api.com
2	ip-api.com

pid	process
2688	schtasks.exe
2408	SCHTASKS.exe
2620	schtasks.exe
1564	SCHTASKS.exe

pid	process
2420	ipconfig.exe
2444	ipconfig.exe

pid	process
1520	PING.EXE

pid	process
2692	powershell.exe
1616	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

IDTOIPBYR_0.exepowershell.exeDLLrunhost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2288	IDTOIPBYR_0.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2540	DLLrunhost.exe
Token: SeDebugPrivilege	1616	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

DLLrunhost.exe

pid process

2540 DLLrunhost.exe

pid	process
2540	DLLrunhost.exe

Suspicious use of WriteProcessMemory 55 IoCs

Processes:

IDTOIPBYR_0.exeDLLrunhost.execmd.exe

description	pid	process	target process
PID 2288 wrote to memory of 2688	2288	IDTOIPBYR_0.exe	schtasks.exe
PID 2288 wrote to memory of 2688	2288	IDTOIPBYR_0.exe	schtasks.exe
PID 2288 wrote to memory of 2688	2288	IDTOIPBYR_0.exe	schtasks.exe
PID 2288 wrote to memory of 2688	2288	IDTOIPBYR_0.exe	schtasks.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2540	2288	IDTOIPBYR_0.exe	DLLrunhost.exe
PID 2288 wrote to memory of 2692	2288	IDTOIPBYR_0.exe	powershell.exe
PID 2288 wrote to memory of 2692	2288	IDTOIPBYR_0.exe	powershell.exe
PID 2288 wrote to memory of 2692	2288	IDTOIPBYR_0.exe	powershell.exe
PID 2288 wrote to memory of 2692	2288	IDTOIPBYR_0.exe	powershell.exe
PID 2288 wrote to memory of 2420	2288	IDTOIPBYR_0.exe	ipconfig.exe
PID 2288 wrote to memory of 2420	2288	IDTOIPBYR_0.exe	ipconfig.exe
PID 2288 wrote to memory of 2420	2288	IDTOIPBYR_0.exe	ipconfig.exe
PID 2288 wrote to memory of 2420	2288	IDTOIPBYR_0.exe	ipconfig.exe
PID 2288 wrote to memory of 2408	2288	IDTOIPBYR_0.exe	SCHTASKS.exe
PID 2288 wrote to memory of 2408	2288	IDTOIPBYR_0.exe	SCHTASKS.exe
PID 2288 wrote to memory of 2408	2288	IDTOIPBYR_0.exe	SCHTASKS.exe
PID 2288 wrote to memory of 2408	2288	IDTOIPBYR_0.exe	SCHTASKS.exe
PID 2540 wrote to memory of 2620	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2620	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2620	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2620	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2852	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2852	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2852	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2852	2540	DLLrunhost.exe	schtasks.exe
PID 2540 wrote to memory of 2896	2540	DLLrunhost.exe	cmd.exe
PID 2540 wrote to memory of 2896	2540	DLLrunhost.exe	cmd.exe
PID 2540 wrote to memory of 2896	2540	DLLrunhost.exe	cmd.exe
PID 2540 wrote to memory of 2896	2540	DLLrunhost.exe	cmd.exe
PID 2896 wrote to memory of 272	2896	cmd.exe	chcp.com
PID 2896 wrote to memory of 272	2896	cmd.exe	chcp.com
PID 2896 wrote to memory of 272	2896	cmd.exe	chcp.com
PID 2896 wrote to memory of 272	2896	cmd.exe	chcp.com
PID 2896 wrote to memory of 1520	2896	cmd.exe	PING.EXE
PID 2896 wrote to memory of 1520	2896	cmd.exe	PING.EXE
PID 2896 wrote to memory of 1520	2896	cmd.exe	PING.EXE
PID 2896 wrote to memory of 1520	2896	cmd.exe	PING.EXE
PID 2540 wrote to memory of 1616	2540	DLLrunhost.exe	powershell.exe
PID 2540 wrote to memory of 1616	2540	DLLrunhost.exe	powershell.exe
PID 2540 wrote to memory of 1616	2540	DLLrunhost.exe	powershell.exe
PID 2540 wrote to memory of 1616	2540	DLLrunhost.exe	powershell.exe
PID 2540 wrote to memory of 2444	2540	DLLrunhost.exe	ipconfig.exe
PID 2540 wrote to memory of 2444	2540	DLLrunhost.exe	ipconfig.exe
PID 2540 wrote to memory of 2444	2540	DLLrunhost.exe	ipconfig.exe
PID 2540 wrote to memory of 2444	2540	DLLrunhost.exe	ipconfig.exe
PID 2540 wrote to memory of 1564	2540	DLLrunhost.exe	SCHTASKS.exe
PID 2540 wrote to memory of 1564	2540	DLLrunhost.exe	SCHTASKS.exe
PID 2540 wrote to memory of 1564	2540	DLLrunhost.exe	SCHTASKS.exe
PID 2540 wrote to memory of 1564	2540	DLLrunhost.exe	SCHTASKS.exe

C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe
"C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsAudioHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe" /rl HIGHEST /f
2⤵
- Quasar RAT
- Creates scheduled task(s)
PID:2688

C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe
"C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "WindowsAudioHelper" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2620

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /delete /tn "WindowsAudioHelper" /f
3⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\IjzI7sCl8fnQ.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:272

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1520

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
3⤵
- Gathers network information
PID:2444

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77DLLrunhost.exe" /tr "'C:\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe'" /sc onlogon /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath (Get-Item -LiteralPath $env:SystemRoot).Root"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\System32\ipconfig.exe" /flushdns
2⤵
- Gathers network information
PID:2420

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77IDTOIPBYR_0.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\IDTOIPBYR_0.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:2408

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Command and Scripting Interpreter

T1059

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IjzI7sCl8fnQ.bat
Filesize
270B

MD5
de940645b20fdd1dea1acafd00f60e33

SHA1
21146900e934e5d5098e7aa3078b504bd423936c

SHA256
515180f3505670007fa1f5042854ee1fd3222a7f84c009a9349f270e01a7ce46

SHA512
bd0ad3929e78663f976c57dc70837f09f3326fe5926637c8f67be808a492f26bbf1bdab781d6a7ab4a163f57386aec7f03056292cf2dd2f624ea83005f2add7c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7VKXPKJV8EHJGAJRSOB6.temp
Filesize
7KB

MD5
d3c6fc5b5f146dbead5199f6a5f2e7e3

SHA1
7e8b79d67e591d1f6ed4d8c9f7b63e8ec21e642c

SHA256
1139dd077f08ad6fafcae04e03ab89f96f4e2c95019d9ddc7002c230baaa2fb8

SHA512
2348bb7052b986c0008ade3ed1f45b43b9f7e35010f167f9e9b28de20e8a64cd762ef59c004f55813ccc82dacc0566bff4d4a8550a501426cc3cef43c9589a61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
c25dcd527c2c1b0cc9b747ef6f5f6ada

SHA1
ba622c5e485b4959bd7bb5d554358dd6c4bdc175

SHA256
061fd74a7147a449de0684c71412cac64feee020fd8028022f87f9bfc6a56d10

SHA512
d4e9fcb8c6bfcb62f4de6ff7d5e22e5b4c89e678958c150f79fd5174139d47555c6e4a2a09183959079facec9d3542c07b60223b3f5abd2817959f60f0400487

Download Submit
C:\Users\Admin\AppData\Roaming\UpdLogs\04-28-~1
Filesize
224B

MD5
751240313794c07790c6a4c80965c724

SHA1
aa47561cf7fb31c3949615801d627caf08b7501c

SHA256
7087c87e038ba9f81121e0a91f3e05e6aa108aaee7d947854e03e35a7c29bd28

SHA512
4ff31ca299ea08bc96e8614a0db92d5cfff6c7f78ec41c04e912f4c6cadccc23e49a89167b4dad0693c61b4dcdd9cd60d2bdfa490e717836331a3933fed5db8f

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
4KB

MD5
7336f9570f191c5259888d4e0c40304c

SHA1
b5993611376d6636db24e9583c16111bdfa3eb3e

SHA256
c7bb8931dd150e1251de035823b6c9ddfa84f92b868785717da62163733ff8f4

SHA512
f7ebc208d01021c4e95a619f22fdae9890cba37fabef4faf9bb5bde9816600e6bfcd7e5203043bb59e86549211ba055ae59b232c04c6376029a501f684195921

Download Submit
\Users\Admin\AppData\Roaming\Windows\DLLrunhost.exe
Filesize
413KB

MD5
aabcedbac7ad8b10993f6de878be1ba4

SHA1
be8ea58edc1e83ebf33fe0e87a29916e9c554426

SHA256
4466cd4392c0fa3c49979664630db1b607e129c858fd44507cf5fc6b5b9dd3ba

SHA512
5a2bb094997699335a149ca353dc5e98e66482aa9dadc52502068337760bbd65bd648b3935777f4424e9811705657bcd2eb38254d731d892256d578c1f1eaf66

Download Submit
memory/2288-1-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2288-2-0x0000000004D60000-0x0000000004DA0000-memory.dmp

Filesize
256KB

Download
memory/2288-0-0x0000000000D10000-0x0000000000D7E000-memory.dmp

Filesize
440KB

Download
memory/2288-13-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-10-0x0000000000AC0000-0x0000000000B2E000-memory.dmp

Filesize
440KB

Download
memory/2540-18-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download
memory/2540-17-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-11-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-35-0x0000000074430000-0x0000000074B1E000-memory.dmp

Filesize
6.9MB

Download
memory/2540-12-0x0000000004880000-0x00000000048C0000-memory.dmp

Filesize
256KB

Download