quasar | 4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e

Analysis

max time kernel
147s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01/05/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe
Size

9.0MB
MD5

78c78748cab54dcf941633f5297c1bf6
SHA1

0c0ee5e0694315bc3813c95d8561056dd8831bee
SHA256

4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e
SHA512

d2212b83a7a4ca4d428cb200f45cc723f6f41485ffd7856f6eeba00f86996f584009e3f2fc5bb0230bfaa96e9c75ac08d3a0c56a07fa94b03b5b220e3e63458f
SSDEEP

49152:/D34Eaz/gdH5o3T8VNZXPkp33BbXh4cpybjPimb+GbZ16xViBGGxxedCCaU0Ddd9:/EsHiAKJxDhpYqemxkDTfgY

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4568-6-0x0000000000A00000-0x0000000000D24000-memory.dmp	family_quasar

Executes dropped EXE 4 IoCs

pid	Process
2636	Msconfig.exe
1156	msconfig.exe
4972	Msconfig.exe
4540	msconfig.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir	vbc.exe
File created	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\SubDir\Msconfig.exe	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4752 set thread context of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 1156 set thread context of 2520	1156	msconfig.exe	92

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4988	schtasks.exe
3492	schtasks.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	vbc.exe
Token: SeDebugPrivilege	2520	vbc.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4568	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	81
PID 4752 wrote to memory of 4952	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	82
PID 4752 wrote to memory of 4952	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	82
PID 4752 wrote to memory of 4952	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	82
PID 4752 wrote to memory of 4932	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	84
PID 4752 wrote to memory of 4932	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	84
PID 4752 wrote to memory of 4932	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	84
PID 4932 wrote to memory of 4988	4932	cmd.exe	86
PID 4932 wrote to memory of 4988	4932	cmd.exe	86
PID 4932 wrote to memory of 4988	4932	cmd.exe	86
PID 4752 wrote to memory of 4716	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	87
PID 4752 wrote to memory of 4716	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	87
PID 4752 wrote to memory of 4716	4752	4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe	87
PID 4568 wrote to memory of 2636	4568	vbc.exe	89
PID 4568 wrote to memory of 2636	4568	vbc.exe	89
PID 4568 wrote to memory of 2636	4568	vbc.exe	89
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2520	1156	msconfig.exe	92
PID 1156 wrote to memory of 2200	1156	msconfig.exe	93
PID 1156 wrote to memory of 2200	1156	msconfig.exe	93
PID 1156 wrote to memory of 2200	1156	msconfig.exe	93
PID 1156 wrote to memory of 2076	1156	msconfig.exe	95
PID 1156 wrote to memory of 2076	1156	msconfig.exe	95
PID 1156 wrote to memory of 2076	1156	msconfig.exe	95
PID 2076 wrote to memory of 3492	2076	cmd.exe	97
PID 2076 wrote to memory of 3492	2076	cmd.exe	97
PID 2076 wrote to memory of 3492	2076	cmd.exe	97
PID 1156 wrote to memory of 980	1156	msconfig.exe	98
PID 1156 wrote to memory of 980	1156	msconfig.exe	98
PID 1156 wrote to memory of 980	1156	msconfig.exe	98
PID 2520 wrote to memory of 4972	2520	vbc.exe	100
PID 2520 wrote to memory of 4972	2520	vbc.exe	100
PID 2520 wrote to memory of 4972	2520	vbc.exe	100

C:\Users\Admin\AppData\Local\Temp\4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe
"C:\Users\Admin\AppData\Local\Temp\4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\SubDir\Msconfig.exe
    "C:\Windows\system32\SubDir\Msconfig.exe"
    3⤵
    - Executes dropped EXE
    PID:2636
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:4952
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:4716

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\SubDir\Msconfig.exe
    "C:\Windows\system32\SubDir\Msconfig.exe"
    3⤵
    - Executes dropped EXE
    PID:4972
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\msconfig"
  2⤵
  PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3492
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe" "C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe"
  2⤵
  PID:980

C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe
1⤵
- Executes dropped EXE
PID:4540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msconfig.exe.log

Filesize
520B

MD5
197fd086992c5b5eb6157c9a3a975845

SHA1
0f91d80c561c3c9398dca480bccd2b97be7d3995

SHA256
3ed1b46e4594bb416a85f689348ecea7a74c7529a9997f116ada05d1430683c4

SHA512
2deb85a9ee1b4e99e9a3875ab6089da6fe7e6e502fc2eebf65e8c9de9e2fae79b07465f2c71b24739914952cd4d646b71ddca4adf602b4cafebff01e4a8a9ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
1KB

MD5
af5e7a69d40fa61fc5cbe8e47b94e6f2

SHA1
7a17838ce80aca637271aeed443fbd5c7b6ffd59

SHA256
0acb16fce2cbcab32c09856689e22bffeca7941433389f92a01dc612b4ae4a5f

SHA512
848c2ee685a3298dfa266d5bc070ff77a8513a2a14b71e834614850bc6144d5c15f17da9f80148b4f9d9a206a168c74aaa5574589da1fb7629e7fc3513db84d8

Download Submit
C:\Users\Admin\AppData\Roaming\msconfig\msconfig.exe

Filesize
9.0MB

MD5
78c78748cab54dcf941633f5297c1bf6

SHA1
0c0ee5e0694315bc3813c95d8561056dd8831bee

SHA256
4b3430ba8a4388133716b3747f00e9a98c99f37631aac98a03ff6bc8b674cf1e

SHA512
d2212b83a7a4ca4d428cb200f45cc723f6f41485ffd7856f6eeba00f86996f584009e3f2fc5bb0230bfaa96e9c75ac08d3a0c56a07fa94b03b5b220e3e63458f

Download Submit
C:\Windows\SysWOW64\SubDir\Msconfig.exe

Filesize
2.5MB

MD5
a731372e6f6978ce25617ae01b143351

SHA1
eab9863a3b7fe5ba2c916a5115c4f13d0984ff89

SHA256
19a3cfbc90e877df30e938fb55785ac3ba8e2e30a54ffbb5af6e0ec9430f9e4b

SHA512
4824c046c2b8370dc290ffbec0c2aa17a4cc22ed2b313e33d72e4aec5d01ab9e6e9676848752d37d95aafa9818f35b233bf70e7a84e0fa0106d22c5f07a38b0d

Download Submit
memory/4568-21-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4568-6-0x0000000000A00000-0x0000000000D24000-memory.dmp

Filesize
3.1MB

Download
memory/4568-7-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4568-8-0x0000000005320000-0x00000000053B2000-memory.dmp

Filesize
584KB

Download
memory/4568-9-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4568-10-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4752-14-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4752-4-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4752-0-0x000000007498E000-0x000000007498F000-memory.dmp

Filesize
4KB

Download
memory/4752-3-0x0000000074980000-0x0000000075131000-memory.dmp

Filesize
7.7MB

Download
memory/4752-2-0x00000000058D0000-0x0000000005E76000-memory.dmp

Filesize
5.6MB

Download
memory/4752-1-0x0000000000570000-0x000000000089C000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads