quasar | 0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

Analysis

max time kernel
138s
max time network
137s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
01-05-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe
Size

6.0MB
MD5

4d05ea664b21ab95e888f456afa1a7a8
SHA1

b4ddeb5b9c83cd8ff02004f52751d1298212a37c
SHA256

0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50
SHA512

05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20
SSDEEP

98304:aBDvEtGdg2pgJTJSCYLCWcpc2tlbWvKUeR+T8u0:aBDt9gJTXYGWcRtlivOA

Score

10^/10

quasar office04 spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

93.123.85.108:4782

Mutex

e14b8f59-979b-4ebf-8602-dd3c4d6c301e

Attributes

encryption_key
534734397C0FA9A1D28F061AD75DF4100BFF5787
install_name
Msconfig.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 1 IoCs

resource	yara_rule
behavioral2/memory/4436-6-0x0000000000940000-0x0000000000C64000-memory.dmp	family_quasar

Executes dropped EXE 2 IoCs

pid	Process
1480	mstools.exe
4468	mstools.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 1480 set thread context of 1352	1480	mstools.exe	90
PID 4468 set thread context of 2064	4468	mstools.exe	99

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5056	schtasks.exe
4864	schtasks.exe
2368	schtasks.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4436	vbc.exe
Token: SeDebugPrivilege	1352	vbc.exe
Token: SeDebugPrivilege	2064	vbc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4436	vbc.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 4436	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	80
PID 2852 wrote to memory of 3700	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	81
PID 2852 wrote to memory of 3700	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	81
PID 2852 wrote to memory of 3700	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	81
PID 2852 wrote to memory of 4440	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	83
PID 2852 wrote to memory of 4440	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	83
PID 2852 wrote to memory of 4440	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	83
PID 4440 wrote to memory of 5056	4440	cmd.exe	85
PID 4440 wrote to memory of 5056	4440	cmd.exe	85
PID 4440 wrote to memory of 5056	4440	cmd.exe	85
PID 2852 wrote to memory of 4956	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	86
PID 2852 wrote to memory of 4956	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	86
PID 2852 wrote to memory of 4956	2852	0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe	86
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1352	1480	mstools.exe	90
PID 1480 wrote to memory of 1388	1480	mstools.exe	91
PID 1480 wrote to memory of 1388	1480	mstools.exe	91
PID 1480 wrote to memory of 1388	1480	mstools.exe	91
PID 1480 wrote to memory of 1704	1480	mstools.exe	93
PID 1480 wrote to memory of 1704	1480	mstools.exe	93
PID 1480 wrote to memory of 1704	1480	mstools.exe	93
PID 1704 wrote to memory of 4864	1704	cmd.exe	95
PID 1704 wrote to memory of 4864	1704	cmd.exe	95
PID 1704 wrote to memory of 4864	1704	cmd.exe	95
PID 1480 wrote to memory of 3848	1480	mstools.exe	96
PID 1480 wrote to memory of 3848	1480	mstools.exe	96
PID 1480 wrote to memory of 3848	1480	mstools.exe	96
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 2064	4468	mstools.exe	99
PID 4468 wrote to memory of 1128	4468	mstools.exe	100
PID 4468 wrote to memory of 1128	4468	mstools.exe	100
PID 4468 wrote to memory of 1128	4468	mstools.exe	100
PID 4468 wrote to memory of 3084	4468	mstools.exe	102
PID 4468 wrote to memory of 3084	4468	mstools.exe	102
PID 4468 wrote to memory of 3084	4468	mstools.exe	102
PID 3084 wrote to memory of 2368	3084	cmd.exe	104
PID 3084 wrote to memory of 2368	3084	cmd.exe	104
PID 3084 wrote to memory of 2368	3084	cmd.exe	104
PID 4468 wrote to memory of 1092	4468	mstools.exe	105
PID 4468 wrote to memory of 1092	4468	mstools.exe	105
PID 4468 wrote to memory of 1092	4468	mstools.exe	105

C:\Users\Admin\AppData\Local\Temp\0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe
"C:\Users\Admin\AppData\Local\Temp\0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4436
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
  2⤵
  PID:3700
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:5056
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
  2⤵
  PID:4956

C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1352
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
  2⤵
  PID:1388
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4864
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
  2⤵
  PID:3848

C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C mkdir "C:\Users\Admin\AppData\Local\Temp\mstools"
  2⤵
  PID:1128
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe" "C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe"
  2⤵
  PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mstools.exe.log

Filesize
520B

MD5
197fd086992c5b5eb6157c9a3a975845

SHA1
0f91d80c561c3c9398dca480bccd2b97be7d3995

SHA256
3ed1b46e4594bb416a85f689348ecea7a74c7529a9997f116ada05d1430683c4

SHA512
2deb85a9ee1b4e99e9a3875ab6089da6fe7e6e502fc2eebf65e8c9de9e2fae79b07465f2c71b24739914952cd4d646b71ddca4adf602b4cafebff01e4a8a9ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vbc.exe.log

Filesize
1KB

MD5
af5e7a69d40fa61fc5cbe8e47b94e6f2

SHA1
7a17838ce80aca637271aeed443fbd5c7b6ffd59

SHA256
0acb16fce2cbcab32c09856689e22bffeca7941433389f92a01dc612b4ae4a5f

SHA512
848c2ee685a3298dfa266d5bc070ff77a8513a2a14b71e834614850bc6144d5c15f17da9f80148b4f9d9a206a168c74aaa5574589da1fb7629e7fc3513db84d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mstools\mstools.exe

Filesize
6.0MB

MD5
4d05ea664b21ab95e888f456afa1a7a8

SHA1
b4ddeb5b9c83cd8ff02004f52751d1298212a37c

SHA256
0ad767569575baeeba2c76169fe9389b805364dd3a71e5e8d818dea5a94acc50

SHA512
05825d447257267ab9079f15f31565dc7bf88dc6293ccf9ca93bee67a63ef1a68ee29b5a54d33336a4864e326b90239fc34b13831e1243b1390a96f5214aad20

Download Submit
memory/2852-13-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2852-1-0x0000000000750000-0x0000000000A7C000-memory.dmp

Filesize
3.2MB

Download
memory/2852-2-0x0000000005C80000-0x0000000006226000-memory.dmp

Filesize
5.6MB

Download
memory/2852-3-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2852-4-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/2852-0-0x000000007513E000-0x000000007513F000-memory.dmp

Filesize
4KB

Download
memory/4436-14-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/4436-9-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/4436-15-0x0000000006430000-0x0000000006A48000-memory.dmp

Filesize
6.1MB

Download
memory/4436-16-0x0000000005E60000-0x0000000005EB0000-memory.dmp

Filesize
320KB

Download
memory/4436-17-0x00000000060B0000-0x0000000006162000-memory.dmp

Filesize
712KB

Download
memory/4436-20-0x0000000007430000-0x0000000007442000-memory.dmp

Filesize
72KB

Download
memory/4436-21-0x0000000007490000-0x00000000074CC000-memory.dmp

Filesize
240KB

Download
memory/4436-22-0x0000000007540000-0x00000000075A6000-memory.dmp

Filesize
408KB

Download
memory/4436-8-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/4436-25-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download
memory/4436-6-0x0000000000940000-0x0000000000C64000-memory.dmp

Filesize
3.1MB

Download
memory/4436-7-0x0000000075130000-0x00000000758E1000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads