quasar | 0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe
Size

6.0MB
MD5

4d05ea664b21ab95e888f456afa1a7a8
SHA1

b4ddeb5b9c83cd8ff02004f52751d1298212a37c
SHA256

0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50
SHA512

05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20
SSDEEP

98304:aBDvEtGdg2pgJTJSCYLCWcpc2tlbWvKUeR+T8u0:aBDt9gJTXYGWcRtlivOA

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral1/memory/440-8-0x0000000000E50000-0x0000000001174000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1440	mstools.exe
3052	mstools.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2868 set thread context of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 1440 set thread context of 4296	1440	mstools.exe	97
PID 3052 set thread context of 916	3052	mstools.exe	106

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2680	schtasks.exe
5040	schtasks.exe
404	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	vbc.exe
Token: SeDebugPrivilege	4296	vbc.exe
Token: SeDebugPrivilege	916	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
440	vbc.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 440	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	87
PID 2868 wrote to memory of 4872	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	88
PID 2868 wrote to memory of 4872	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	88
PID 2868 wrote to memory of 4872	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	88
PID 2868 wrote to memory of 3108	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	90
PID 2868 wrote to memory of 3108	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	90
PID 2868 wrote to memory of 3108	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	90
PID 3108 wrote to memory of 2680	3108	cmd.exe	92
PID 3108 wrote to memory of 2680	3108	cmd.exe	92
PID 3108 wrote to memory of 2680	3108	cmd.exe	92
PID 2868 wrote to memory of 4116	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	93
PID 2868 wrote to memory of 4116	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	93
PID 2868 wrote to memory of 4116	2868	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	93
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 4296	1440	mstools.exe	97
PID 1440 wrote to memory of 3612	1440	mstools.exe	98
PID 1440 wrote to memory of 3612	1440	mstools.exe	98
PID 1440 wrote to memory of 3612	1440	mstools.exe	98
PID 1440 wrote to memory of 2212	1440	mstools.exe	100
PID 1440 wrote to memory of 2212	1440	mstools.exe	100
PID 1440 wrote to memory of 2212	1440	mstools.exe	100
PID 2212 wrote to memory of 5040	2212	cmd.exe	102
PID 2212 wrote to memory of 5040	2212	cmd.exe	102
PID 2212 wrote to memory of 5040	2212	cmd.exe	102
PID 1440 wrote to memory of 840	1440	mstools.exe	103
PID 1440 wrote to memory of 840	1440	mstools.exe	103
PID 1440 wrote to memory of 840	1440	mstools.exe	103
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 916	3052	mstools.exe	106
PID 3052 wrote to memory of 1300	3052	mstools.exe	107
PID 3052 wrote to memory of 1300	3052	mstools.exe	107
PID 3052 wrote to memory of 1300	3052	mstools.exe	107
PID 3052 wrote to memory of 4392	3052	mstools.exe	109
PID 3052 wrote to memory of 4392	3052	mstools.exe	109
PID 3052 wrote to memory of 4392	3052	mstools.exe	109
PID 4392 wrote to memory of 404	4392	cmd.exe	111
PID 4392 wrote to memory of 404	4392	cmd.exe	111
PID 4392 wrote to memory of 404	4392	cmd.exe	111
PID 3052 wrote to memory of 5036	3052	mstools.exe	112
PID 3052 wrote to memory of 5036	3052	mstools.exe	112
PID 3052 wrote to memory of 5036	3052	mstools.exe	112

C:\Users\Admin\AppData\Local\Temp\0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe
"C:\Users\Admin\AppData\Local\Temp\0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:440
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
  2⤵
  PID:4872
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
  2⤵
  PID:4116

C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4296
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
  2⤵
  PID:3612
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
  2⤵
  PID:840

C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
  2⤵
  PID:1300
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
  2⤵
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mstools.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
1KB

MD5
df27a876383bd81dfbcb457a9fa9f09d

SHA1
1bbc4ab95c89d02ec1d217f0255205787999164e

SHA256
8940500d6f057583903fde1af0287e27197410415639fc69beb39475fa5240dc

SHA512
fe68271375002cfcf8585c92b948ae47cd1632919c43db4bc738e2bc85ceea6dd30880dba27df9c3317531f1017624d4bd8979e6c5fad58112c7aa1189f0b844

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe

Filesize
6.0MB

MD5
4d05ea664b21ab95e888f456afa1a7a8

SHA1
b4ddeb5b9c83cd8ff02004f52751d1298212a37c

SHA256
0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

SHA512
05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20

Download Submit
memory/440-9-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/440-24-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/440-25-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/440-7-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/440-8-0x0000000000E50000-0x0000000001174000-memory.dmp

Filesize
3.1MB

Download
memory/440-20-0x0000000007770000-0x00000000077AC000-memory.dmp

Filesize
240KB

Download
memory/440-12-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/440-21-0x0000000007820000-0x0000000007886000-memory.dmp

Filesize
408KB

Download
memory/440-14-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/440-16-0x0000000006690000-0x0000000006CA8000-memory.dmp

Filesize
6.1MB

Download
memory/440-17-0x0000000006130000-0x0000000006180000-memory.dmp

Filesize
320KB

Download
memory/440-18-0x00000000063A0000-0x0000000006452000-memory.dmp

Filesize
712KB

Download
memory/440-19-0x0000000006370000-0x0000000006382000-memory.dmp

Filesize
72KB

Download
memory/2868-5-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2868-15-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2868-0-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2868-4-0x000000007448E000-0x000000007448F000-memory.dmp

Filesize
4KB

Download
memory/2868-3-0x0000000074480000-0x0000000074C30000-memory.dmp

Filesize
7.7MB

Download
memory/2868-2-0x0000000005AA0000-0x0000000006044000-memory.dmp

Filesize
5.6MB

Download
memory/2868-1-0x0000000000780000-0x0000000000AAC000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads